Read as
Why this module exists. AD trusts are the plumbing of federation between domains and forests — and almost every late-stage AD compromise involves moving across a trust the defender did not know existed or did not know the security properties of. This module is the practitioner-level taxonomy of trust types (parent-child, tree-root, shortcut, external, forest, realm), their default security properties, and the modern attack patterns that abuse each.
Why this module exists. AD has six distinct trust types. Each has different transitivity, SID Filtering defaults, Kerberos behaviour, and attacker-reachable abuse pattern. The median Indian-bank AD environment we audit has at least one trust whose properties the owning team cannot explain. This module is the missing reference.
The six trust types — at a glance
| Type | When created | Transitive? | SID Filter default |
|---|---|---|---|
| Parent-child | Automatic when child domain added to forest | Yes | OFF |
| Tree-root | Automatic when new tree added to existing forest | Yes | OFF |
| Shortcut | Manual; optimises auth path in large forests | Yes | OFF |
| External | Manual; domain ↔ domain across forests | No | ON |
| Forest | Manual; forest ↔ forest, all domains | Yes (within forest) | ON |
| Realm | Manual; AD ↔ non-AD Kerberos realm (MIT/Heimdal) | Configurable | N/A |
Need a real pentest?
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.
Book VAPT scoping call
Replies in 4 working hrs · India-only · Senior consultants