TRUSTED_BY

Summary

FSProtect ACL Alias

TRUSTED_BY

Affected Object Types

Domains

Exploitation Certainty

Unlikely

Description

The TRUSTED_BY permission in Active Directory establishes a trust relationship where an account or system is explicitly recognized as reliable by another domain (or security principal). This trust designation is crucial for inter-domain authentication, delegated access, and secure interactions between systems, ensuring seamless collaboration while maintaining security boundaries. Proper configuration of the TRUSTED_BY permission allows for controlled delegation of access rights, reducing redundant authentication prompts and streamlining cross-domain operations.

However, if misconfigured, the TRUSTED_BY permission can introduce significant security vulnerabilities. An attacker who exploits this trust relationship could abuse the trust to impersonate trusted accounts, escalate privileges, or bypass access controls within the trusted environment. Such exploitation might enable unauthorized access to sensitive systems, facilitate credential theft, and lead to widespread compromise of interconnected domains.

Identification

PowerShell

Active Directory Module

Using the ActiveDirectory PowerShell module, you can enumerate TRUSTED_BY entries.

1. Find-ADTrusts function

2. Get all domain trusts

function Find-ADTrusts {
    [CmdletBinding()]
    param([string]$OutputPath = ".\ADTrusts.csv")
    try { $trusts = Get-ADTrust -Filter * -Properties Name,Direction,Source,TrustType}
    catch {Write-Error "Failed to enumerate trusts: $($_.Exception.Message)"; return}
    $rows = foreach ($t in $trusts) {
        [pscustomobject]@{
            Source    = $t.Source
            Name      = $t.Name
            Direction = $t.Direction
            Type      = $t.TrustType
        }
    }
    if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 ; $rows }
    else { Write-Host "No trust objects found." }
}

.NET Directory Services

By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate TRUSTED_BY entries without relying on any external modules or dependencies.

1. Find-ADTrustSimple function

function Find-ADTrustSimple {
    [CmdletBinding()]
    param([string]$OutputPath = ".\ADTrusts.csv")
    try {
        $baseDN     = ([ADSI]"LDAP://RootDSE").defaultNamingContext
        $searchRoot = [ADSI]("LDAP://CN=System,$baseDN")
        $ds = [System.DirectoryServices.DirectorySearcher]::new($searchRoot)
        $ds.Filter = "(objectClass=trustedDomain)"; $ds.PageSize = 1000
        foreach ($p in "name","trustDirection","trustType") { [void]$ds.PropertiesToLoad.Add($p) }
        $src = if ($env:USERDNSDOMAIN) { $env:USERDNSDOMAIN } else { ($baseDN -replace 'DC=','' -replace ',','.') }
        $rows = foreach ($r in $ds.FindAll()) {
            $p = $r.Properties
            [pscustomobject]@{
                Source    = $src
                Name      = $p["name"][0]
                Direction = if ($p["trustdirection"]) { @("Disabled","Inbound","Outbound","Bidirectional")[[int]$p["trustdirection"][0]] } else { "Unknown" }
                Type      = if ($p["trusttype"]) { switch([int]$p["trusttype"][0]) { 1{"Downlevel"} 2{"Uplevel"} 3{"MIT"} 4{"DCE"} default{"Unknown"} } } else { "Unknown" }
            }
        }
    } catch { Write-Error "LDAP enumeration failed: $($_.Exception.Message)"; return }
    if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8; $rows }
    else { Write-Host "No trust objects found." }}

2. Get all domain trusts

Find-ADTrustSimple

Active Directory Domains and Trusts

1. Open Active Directory Domains and Trusts.

2. Click on your domain.

3. You can see trusted domains in the list

4. Click OK to close the dialogs.

Exploitation

The TRUSTED_BY relationship is a trust link between two domains. It does not directly grant privileges, but it enables accounts in one domain to be recognized and authenticated by another.

References

PreviousSyncLAPSPassword NextWrite

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagActive Directory Module

hashtag.NET Directory Services

hashtagActive Directory Domains and Trusts

hashtagExploitation

hashtagReferences