search
NetExec GithubNetexec Lab
githubEdit

🆕Abuse Domain Trust: Raisechild

Abuses an intra-forest transitive trust (child ↔ parent) to forge a Golden Ticket containing an extra SID from the other domain (e.g. Enterprise Admins). This allows authenticating to the target domain with elevated privileges.

Works child → parent and parent → child.

hashtag
What it does

  1. Detects the corresponding intra-forest trust (trustedDomain + inbound/bidirectional).

  2. Retrieves the local domain SID (child or parent depending on where the module is executed).

  3. Forges a TGT and injects an extra SID from the other domain (parent or child).

  4. Saves the ticket as <USER>.ccache.

Windows Server 2025 disables RC4 by default — AES support in this module allows forging tickets anyway.

hashtag
Important Requirements

hashtag
The targeted user must exist in BOTH domains

Since modern Windows checks the user in the PAC, the username must be valid in both the source and target domain.

hashtag
USER_ID must match the RID of the user in the domain where raisechild is run

Example: running the module from the child domain with user test123:

Domain
User
RID

Child

test123

1111

Parent

test123

1001

You must specify:

If running from the parent, you must instead specify:

The RID must always correspond to the domain whose krbtgt key is used to forge the ticket.

hashtag
Module Options

Option
Description
Default

USER

User to impersonate (must exist in both domains)

Administrator

USER_ID

RID of USER in the current domain

500

RID

Extra SID RID injected from the other domain

519 (Enterprise Admins)

ETYPE

rc4 / aes128 / aes256

rc4

hashtag
Usage Examples

Forge a basic Golden Ticket:

Using a specific account:

Using AES256:

Change the injected extra SID:

hashtag
Using the forged ticket

Then authenticate to the target domain:

Raisechild Module

---

PreviousList DC IP / Enum TrustNextEnumerate Domain Trusts

Last updated

Was this helpful?