Techniques
Sample rules
Potential Recon Activity Via Nltest.EXE
- source: sigma
- technicques:
- t1016
- t1482
Description
Detects nltest commands that can be used for information discovery
Detection logic
condition: all of selection_*
selection_nltest:
- Image|endswith: \nltest.exe
- OriginalFileName: nltestrk.exe
selection_recon:
- CommandLine|contains|all:
- server
- query
- CommandLine|contains:
- /user
- all_trusts
- 'dclist:'
- 'dnsgetdc:'
- domain_trusts
- 'dsgetdc:'
- parentdomain
- trusted_domains