Parent / Child

When a child domain is added to a forest, it automatically creates a transitive, two-way trust with its parent.

powershell Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : cyberbotic.io
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional

SourceName is the current domain

TargetName is the foreign domain

TrustDirection is the trust direction (bidirectional is two-way)

TrustAttributes: WITHIN_FOREST lets us know that both of these domains are part of the same forest which implies a parent/child relationship.

If we have Domain Admin privileges in the child, we can also gain Domain Admin privileges in the parent using a TGT with a special attribute called SID History.

The process is the same as creating Golden Tickets previously, the only additional information required is the SID of a target group in the parent domain.

Get SID of target group in parent Domain

powershell Get-DomainGroup -Identity "Domain Admins" -Domain cyberbotic.io -Properties ObjectSid

S-1-5-21-2594061375-675613155-814674916-512

Find domain admin to impersonate

Create golden ticket: Rubeus attacker machine

Then import it into a logon session and use it to access the domain controller in the parent

Diamond Ticket

The Rubeus diamond command also has a /sids parameter, with which we can supply the extra SIDs we want in our ticket.