LoFP / domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with windows server 2012 and newer.

• T1018
• T1482

Sample rules

Enumerating Domain Trusts via NLTEST.EXE

• source: elastic
• technicques:
  • T1018
  • T1482

Description

Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
    process.name : "nltest.exe" and process.args : (
        "/DCLIST:*", "/DCNAME:*", "/DSGET*",
        "/LSAQUERYFTI:*", "/PARENTDOMAIN",
        "/DOMAIN_TRUSTS", "/BDC_QUERY:*"
        ) and 
not process.parent.name : "PDQInventoryScanner.exe" and 
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20")

Enumerating Domain Trusts via DSQUERY.EXE

• source: elastic
• technicques:
  • T1018
  • T1482

Description

Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
    (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and 
    process.args : "*objectClass=trustedDomain*"