TRUSTED_BY
Summary
FSProtect ACL Alias
TRUSTED_BY
Affected Object Types
Domains
Exploitation Certainty
Unlikely
Description
The TRUSTED_BY permission in Active Directory establishes a trust relationship where an account or system is explicitly recognized as reliable by another domain (or security principal). This trust designation is crucial for inter-domain authentication, delegated access, and secure interactions between systems, ensuring seamless collaboration while maintaining security boundaries. Proper configuration of the TRUSTED_BY permission allows for controlled delegation of access rights, reducing redundant authentication prompts and streamlining cross-domain operations.
However, if misconfigured, the TRUSTED_BY permission can introduce significant security vulnerabilities. An attacker who exploits this trust relationship could abuse the trust to impersonate trusted accounts, escalate privileges, or bypass access controls within the trusted environment. Such exploitation might enable unauthorized access to sensitive systems, facilitate credential theft, and lead to widespread compromise of interconnected domains.
Identification
PowerShell
Active Directory Module
Using the ActiveDirectory PowerShell module, you can enumerate TRUSTED_BY entries.
1. Find-ADTrusts function
2. Get all domain trusts
function Find-ADTrusts {
[CmdletBinding()]
param([string]$OutputPath = ".\ADTrusts.csv")
try { $trusts = Get-ADTrust -Filter * -Properties Name,Direction,Source,TrustType}
catch {Write-Error "Failed to enumerate trusts: $($_.Exception.Message)"; return}
$rows = foreach ($t in $trusts) {
[pscustomobject]@{
Source = $t.Source
Name = $t.Name
Direction = $t.Direction
Type = $t.TrustType
}
}
if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 ; $rows }
else { Write-Host "No trust objects found." }
}.NET Directory Services
By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate TRUSTED_BY entries without relying on any external modules or dependencies.
1. Find-ADTrustSimple function
function Find-ADTrustSimple {
[CmdletBinding()]
param([string]$OutputPath = ".\ADTrusts.csv")
try {
$baseDN = ([ADSI]"LDAP://RootDSE").defaultNamingContext
$searchRoot = [ADSI]("LDAP://CN=System,$baseDN")
$ds = [System.DirectoryServices.DirectorySearcher]::new($searchRoot)
$ds.Filter = "(objectClass=trustedDomain)"; $ds.PageSize = 1000
foreach ($p in "name","trustDirection","trustType") { [void]$ds.PropertiesToLoad.Add($p) }
$src = if ($env:USERDNSDOMAIN) { $env:USERDNSDOMAIN } else { ($baseDN -replace 'DC=','' -replace ',','.') }
$rows = foreach ($r in $ds.FindAll()) {
$p = $r.Properties
[pscustomobject]@{
Source = $src
Name = $p["name"][0]
Direction = if ($p["trustdirection"]) { @("Disabled","Inbound","Outbound","Bidirectional")[[int]$p["trustdirection"][0]] } else { "Unknown" }
Type = if ($p["trusttype"]) { switch([int]$p["trusttype"][0]) { 1{"Downlevel"} 2{"Uplevel"} 3{"MIT"} 4{"DCE"} default{"Unknown"} } } else { "Unknown" }
}
}
} catch { Write-Error "LDAP enumeration failed: $($_.Exception.Message)"; return }
if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8; $rows }
else { Write-Host "No trust objects found." }}2. Get all domain trusts
Find-ADTrustSimpleActive Directory Domains and Trusts
1. Open Active Directory Domains and Trusts.
2. Click on your domain.
3. You can see trusted domains in the list
4. Click OK to close the dialogs.
Exploitation
The TRUSTED_BY relationship is a trust link between two domains. It does not directly grant privileges, but it enables accounts in one domain to be recognized and authenticated by another.
References
Last updated
Was this helpful?