If person has admin right on AD he can compromise whole Forest (Reference: https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/)
In order to do that, that person needs to enable SID History via this command "netdom trust /d:forest-a.local forest-b.local /enablesidhistory:yes" And that changes parameter TATE
(TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL)
0x00000040
I found this information on Microsoft site: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c
So my question is how can I monitor the changes to that paremeter? In which file this parameter located?
User contributions licensed under CC BY-SA 3.0