> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/ad/trusted_by.md). # TRUSTED\_BY ## Summary | | | | -------------------------- | ----------- | | **FSProtect ACL Alias** | TRUSTED\_BY | | **Affected Object Types** | Domains | | **Exploitation Certainty** | Unlikely | ## Description The `TRUSTED_BY` permission in Active Directory establishes a trust relationship where an account or system is explicitly recognized as reliable by another domain (or security principal). This trust designation is crucial for inter-domain authentication, delegated access, and secure interactions between systems, ensuring seamless collaboration while maintaining security boundaries. Proper configuration of the `TRUSTED_BY` permission allows for controlled delegation of access rights, reducing redundant authentication prompts and streamlining cross-domain operations. However, if misconfigured, the `TRUSTED_BY` permission can introduce significant security vulnerabilities. An attacker who exploits this trust relationship could abuse the trust to impersonate trusted accounts, escalate privileges, or bypass access controls within the trusted environment. Such exploitation might enable unauthorized access to sensitive systems, facilitate credential theft, and lead to widespread compromise of interconnected domains. ## Identification ### PowerShell #### Active Directory Module Using the ActiveDirectory PowerShell module, you can enumerate `TRUSTED_BY` entries. **1.** Find-ADTrusts function **2.** Get all domain trusts ```powershell function Find-ADTrusts { [CmdletBinding()] param([string]$OutputPath = ".\ADTrusts.csv") try { $trusts = Get-ADTrust -Filter * -Properties Name,Direction,Source,TrustType} catch {Write-Error "Failed to enumerate trusts: $($_.Exception.Message)"; return} $rows = foreach ($t in $trusts) { [pscustomobject]@{ Source = $t.Source Name = $t.Name Direction = $t.Direction Type = $t.TrustType } } if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 ; $rows } else { Write-Host "No trust objects found." } } ``` #### .NET Directory Services By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate `TRUSTED_BY` entries without relying on any external modules or dependencies. **1.** Find-ADTrustSimple function ```powershell function Find-ADTrustSimple { [CmdletBinding()] param([string]$OutputPath = ".\ADTrusts.csv") try { $baseDN = ([ADSI]"LDAP://RootDSE").defaultNamingContext $searchRoot = [ADSI]("LDAP://CN=System,$baseDN") $ds = [System.DirectoryServices.DirectorySearcher]::new($searchRoot) $ds.Filter = "(objectClass=trustedDomain)"; $ds.PageSize = 1000 foreach ($p in "name","trustDirection","trustType") { [void]$ds.PropertiesToLoad.Add($p) } $src = if ($env:USERDNSDOMAIN) { $env:USERDNSDOMAIN } else { ($baseDN -replace 'DC=','' -replace ',','.') } $rows = foreach ($r in $ds.FindAll()) { $p = $r.Properties [pscustomobject]@{ Source = $src Name = $p["name"][0] Direction = if ($p["trustdirection"]) { @("Disabled","Inbound","Outbound","Bidirectional")[[int]$p["trustdirection"][0]] } else { "Unknown" } Type = if ($p["trusttype"]) { switch([int]$p["trusttype"][0]) { 1{"Downlevel"} 2{"Uplevel"} 3{"MIT"} 4{"DCE"} default{"Unknown"} } } else { "Unknown" } } } } catch { Write-Error "LDAP enumeration failed: $($_.Exception.Message)"; return } if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8; $rows } else { Write-Host "No trust objects found." }} ``` **2.** Get all domain trusts ```powershell Find-ADTrustSimple ``` ### Active Directory Domains and Trusts **1.** Open `Active Directory Domains and Trusts`. **2.** Click on your domain. **3.** You can see trusted domains in the list **4.** Click OK to close the dialogs. ![Active Directory Domains and Trusts](/files/AIDlodb9L5OotDVIYJu1) ## Exploitation The `TRUSTED_BY` relationship is a trust link between two domains. It does not directly grant privileges, but it enables accounts in one domain to be recognized and authenticated by another. ## References * [Trusts - The Hacker Recipes](https://www.thehacker.recipes/ad/movement/trusts/) * [Forest trusts in Microsoft Entra Domain Services](https://learn.microsoft.com/en-us/entra/identity/domain-services/concepts-forest-trust) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/ad/trusted_by.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.