account$(that's present on the trusted domain) password hash.
first.localdoes not trust
first.local. Or simply put in other words, it's possible to access resources from
second.local, but not the other way around.
second.localdomain is compromised and domain admin privileges are obtained.
first.localis a trusted domain trusted by the trusting domain
second.local, the trust account
second$in the domain
first.local) will be created.
first.local\second$is the trust account we want to and CAN compromise from the
second.local domain, assuming we have domain admin privileges there.
first.localfrom the trusting domain :
first.local\second$if we have domain admin privileges on
first.local\second$and reveal its password hash, we can use mimikatz like so:
second.localline - this is the NTLM hash for
first.local\second$trust account, capture it.
first.local\second$, we can request its TGT from
second-dc.second.local, we have a TGT for
first.local\second$committed to memory and we can now start enumerating resources on
first.local- and this concludes the technique, showing that it's possible to access resources on a trusted domain (as a low privileged user), given the trusting domain is compromised: