Module 18

Question 1

What is the primary purpose of a trust relationship in Active Directory?

Answer 1

To allow one forest or domain to share its resources with another.

Question 2

A two-way, transitive trust that is automatically created when a new domain is added to an existing tree is known as a _____ trust.

Answer 2

Parent/Child

Question 3

What type of trust is a two-way, transitive trust automatically created when a new domain tree is added to an existing forest?

Answer 3

Tree-Root Trust.

Question 4

What is an External Trust in Active Directory?

Answer 4

A one or two-way, non-transitive trust that enables resource sharing between domains in different forests.

Question 5

A _____ trust is a one or two-way transitive trust that enables resources to be shared between different forests.

Answer 5

Forest

Question 6

In the context of AD trusts, what does ‘transitivity’ determine?

Answer 6

Whether the trust relationship extends beyond the two domains or forests with which it was explicitly formed.

Question 7

If Domain A transitively trusts Domain B, and Domain B transitively trusts Domain C, what is the resulting trust relationship between Domain A and Domain C?

Answer 7

Domain A implicitly trusts Domain C.

Question 8

What is the key difference in access permissions between a one-way and a two-way trust?

Answer 8

A one-way trust allows access in one direction, while a two-way trust allows access in both directions.

Question 9

Confusingly, the direction of a trust is _____ to the direction of access.

Answer 9

opposite

Question 10

In a one-way trust from Domain A to Domain B allowing A’s users to access B’s resources, which domain is the ‘trusting’ domain and which is the ‘trusted’?

Answer 10

Domain A is the ‘trusting’ domain, and Domain B is the ‘trusted’ domain.

Question 11

How are two-way trusts actually implemented in Active Directory?

Answer 11

They are implemented as two separate one-way trusts in opposite directions.

Question 12

What is a Trusted Domain Object (TDO) in Active Directory?

Answer 12

An object in Active Directory that stores information about a trust relationship, including its type, transitivity, and shared password.

Question 13

How often does the primary domain controller in the trusting domain change the TDO password?

Answer 13

Every 30 days.

Question 14

What LDAP object class can be queried to read information about trust relationships?

Answer 14

The trustedDomain object class.

Question 15

In a TDO, what does the trustDirection attribute value of ‘1’ signify?

Answer 15

TRUST_DIRECTION_INBOUND.

Question 16

In a TDO, what does the trustDirection attribute value of ‘2’ signify?

Answer 16

TRUST_DIRECTION_OUTBOUND.

Question 17

What does a trustDirection value of ‘3’ on a TDO indicate?

Answer 17

The trust is bidirectional (TRUST_DIRECTION_BIDIRECTIONAL).

Question 18

The trustAttributes flag of ‘1’ on a TDO indicates what property?

Answer 18

The trust is non-transitive (TRUST_ATTRIBUTE_NON_TRANSITIVE).

Question 19

What does the trustAttributes flag of ‘8’ on a TDO signify?

Answer 19

The trust is transitive between two forests (TRUST_ATTRIBUTE_FOREST_TRANSITIVE).

Question 20

A trustAttributes flag of ‘32’ on a TDO indicates that the trust is _____.

Answer 20

between two domains in the same forest (TRUST_ATTRIBUTE_WITHIN_FOREST)

Question 21

What is the official security boundary in an Active Directory environment?

Answer 21

The forest level.

Question 22

Why can’t TGTs issued in one realm be decrypted by another realm’s KDC in a trust scenario?

Answer 22

Because the trusting realm does not have access to the trusted realm’s krbtgt secret key.

Question 23

What cryptographic component bridges the gap for Kerberos authentication between two different realms?

Answer 23

An inter-realm key.

Question 24

What type of Kerberos ticket does a KDC return when a client requests a service in a different, trusted realm?

Answer 24

An inter-realm TGT, also known as a referral ticket.

Question 25

An inter-realm TGT is issued by the trusted realm's KDC but is encrypted using the _____ instead of the krbtgt secret.

Answer 25

shared inter-realm key

Question 26

When a client receives an inter-realm TGT, what is the SPN set to in the ticket?

Answer 26

The `krbtgt` service of the trusting realm.

Question 27

After receiving an inter-realm TGT, where does the client send its next TGS-REQ?

Answer 27

Directly to the KDC of the trusting realm.

Question 28

What kind of account is created to represent the ticket-granting service of a trusting realm within a trusted realm's KDC?

Answer 28

A trust account, typically named after the flat name of the opposing realm (e.g., PARTNER$).

Question 29

What `samAccountType` value corresponds to a trust account in Active Directory?

Answer 29

`SAM_TRUST_ACCOUNT` (805306370).

Question 30

In a trust relationship, where is the shared inter-realm key stored from the perspective of the trusted domain?

Answer 30

It is used as the password for the trust account (e.g., `PARTNER$`).

Question 31

In a trust relationship, where is the shared inter-realm key stored from the perspective of the trusting domain?

Answer 31

Inside the Trusted Domain Object (TDO).

Question 32

What privilege escalation path exists if an adversary gains domain admin in a child domain?

Answer 32

They can elevate their privileges to that of an enterprise admin in the forest root.

Question 33

What ticket attribute, designed for migration scenarios, can be abused to escalate privileges from a child to a parent domain?

Answer 33

SID History.

Question 34

In a parent/child trust abuse scenario, what SID is typically added to a forged golden ticket's SID History?

Answer 34

The SID of a privileged group in the parent domain, such as the Enterprise Admins group.

Question 35

When forging a golden ticket to attack a parent domain, which domain's `krbtgt` hash is required?

Answer 35

The AES hash of the child domain's `krbtgt` account.

Question 36

What does the `/sids` parameter specify in the Rubeus golden ticket command for a parent/child trust attack?

Answer 36

A list of SIDs to be included in the ticket's SID history, specifically the SID of a privileged parent domain group.

Question 37

What mechanism in external and forest trusts prevents SID History abuse by ignoring SIDs not native to the trusting domain?

Answer 37

SID filtering.

Question 38

What special AD container holds `foreignSecurityPrincipal` objects representing principals from external trusted domains?

Answer 38

The Foreign Security Principals Container.

Question 39

When attacking a one-way inbound trust from the trusted side, what is the primary adversarial strategy?

Answer 39

To find and impersonate principals from the trusted domain that have legitimate access to resources in the trusting domain.

Question 40

When enumerating a trusting domain from a trusted domain, how can you identify which foreign security principals have been granted permissions?

Answer 40

By querying the `foreignSecurityPrincipal` object class in the trusting domain and checking the `memberOf` attribute.

Question 41

When attacking a one-way inbound trust from the trusted domain, how can an adversary obtain the inter-realm key?

Answer 41

By dumping the credentials for the associated trust account (e.g., `CONTOSO\PARTNER$`) via DCSync.

Question 42

What Rubeus command is used to forge an inter-realm TGT (referral ticket) using a known inter-realm key?

Answer 42

The `silver` command.

Question 43

When using `rubeus silver` to forge an inter-realm TGT, what should the `/service` parameter be set to?

Answer 43

The `krbtgt` service of the trusting domain (e.g., `krbtgt/partner.com`).

Question 44

After forging an inter-realm TGT, what Rubeus command is used to request a service ticket from the trusting domain?

Answer 44

The `asktgs` command.

Question 45

What does the `/ticket` parameter specify in the `rubeus asktgs` command?

Answer 45

The forged inter-realm TGT that will be used to request the service ticket.

Question 46

When on the trusting side of a one-way outbound trust, why does attempting to enumerate the trusted domain typically fail?

Answer 46

Because you are against the direction of access, and the local KDC has no referral information for the foreign domain.

Question 47

What Kerberos error is typically returned when a user on the trusting side of a one-way trust requests a ticket for the trusted domain?

Answer 47

`KDC_ERR_S_PRINCIPAL_UNKNOWN`.

Question 48

From the trusting side of a one-way trust, how can an adversary obtain the inter-realm key?

Answer 48

By dumping the key from the local Trusted Domain Object (TDO) using its `objectGUID` with `mimikatz lsadump::dcsync`.

Question 49

What Rubeus command allows an adversary on the trusting side to get a TGT from the trusted domain using the inter-realm key?

Answer 49

The `asktgt` command.

Question 50

When using `rubeus asktgt` to attack a trusted domain from the trusting side, what user should be specified with `/user`?

Answer 50

The trust account name (e.g., `PARTNER$`).

Question 51

After obtaining a TGT for the trust account, why is it possible to enumerate the trusted domain?

Answer 51

Because the trust account's `primaryGroupID` is 513 (Domain Users), granting it default enumeration privileges.