T1482

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

Microsoft Sentinel / Defender

kusto

let NltestTrustArgs = dynamic([
  "/domain_trusts", "/all_trusts", "/dclist:", "/trusted_domains",
  "/domain_trusts /all_trusts"
]);
let AdfindTrustArgs = dynamic([
  "trustdmp", "trustedDomain", "objectclass=trusteddomain",
  "-f\"(objectcategory=trusteddomain)\"", "-f (objectcategory=trusteddomain)"
]);
let PsTrustPatterns = dynamic([
  "Get-ADTrust", "GetAllTrustRelationships", "DSEnumerateDomainTrusts",
  "GetCurrentDomainTrustRelationships", "GetTrustedDomains",
  "System.DirectoryServices.ActiveDirectory.Domain",
  "netapi32", "DsEnumerateDomainTrusts"
]);
let TrustBinaries = dynamic(["nltest.exe", "adfind.exe", "adfind64.exe"]);
// Branch 1: nltest.exe and AdFind direct execution
let BinaryTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TrustBinaries)
| where ProcessCommandLine has_any (NltestTrustArgs)
    or (FileName =~"adfind.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
    or (FileName =~"adfind64.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
| extend TrustTool = "nltest/adfind"
| extend TrustMethod = case(
    ProcessCommandLine has "/domain_trusts", "nltest-domain_trusts",
    ProcessCommandLine has "/dclist", "nltest-dclist",
    ProcessCommandLine has "trustdmp", "adfind-trustdmp",
    ProcessCommandLine has "trusteddomain", "adfind-ldap-trust",
    "other"
);
// Branch 2: PowerShell and .NET-based trust enumeration
let PsTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PsTrustPatterns)
| extend TrustTool = "PowerShell"
| extend TrustMethod = case(
    ProcessCommandLine has "Get-ADTrust", "ps-Get-ADTrust",
    ProcessCommandLine has "GetAllTrustRelationships", "ps-GetAllTrustRelationships",
    ProcessCommandLine has "DSEnumerateDomainTrusts", "ps-DSEnumerateDomainTrusts",
    "ps-other"
);
// Branch 3: net.exe commands revealing domain/forest info used in trust context
let NetTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has_any ("view /domain", "group \"Domain Admins\"")
    and InitiatingProcessFileName in~ ("nltest.exe", "adfind.exe", "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend TrustTool = "net.exe"
| extend TrustMethod = "net-domain-enum";
union BinaryTrustDiscovery, PsTrustDiscovery, NetTrustDiscovery
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName,
         TrustTool, TrustMethod
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
// Classify tool used
| eval TrustTool=case(
    match(Image, "nltest\.exe$"), "nltest",
    match(Image, "adfind(64)?\.exe$"), "adfind",
    match(Image, "(powershell|pwsh)\.exe$"), "powershell",
    true(), "other"
  )
// Flag nltest domain trust arguments
| eval NltestTrust=if(
    match(Image, "nltest\.exe$") AND match(CommandLine, "(/domain_trusts|/all_trusts|/dclist:|/trusted_domains)"),
    1, 0
  )
// Flag AdFind trust-related LDAP queries
| eval AdfindTrust=if(
    match(Image, "adfind(64)?\.exe$") AND match(CommandLine, "(trustdmp|trusteddomain|objectclass=trusteddomain|objectcategory=trusteddomain)"),
    1, 0
  )
// Flag PowerShell .NET / AD module trust enumeration
| eval PsTrust=if(
    match(Image, "(powershell|pwsh)\.exe$") AND match(CommandLine, "(get-adtrust|getalltrustrelationships|dsenumeratedomaintrusts|getcurrentdomaintrustrelationships|system\.directoryservices\.activedirectory\.domain|netapi32)"),
    1, 0
  )
// Summarise relevance
| eval TrustScore=NltestTrust + AdfindTrust + PsTrust
| where TrustScore > 0
| eval TrustMethod=case(
    NltestTrust=1 AND match(CommandLine, "/domain_trusts"), "nltest-domain_trusts",
    NltestTrust=1 AND match(CommandLine, "/dclist"), "nltest-dclist",
    AdfindTrust=1 AND match(CommandLine, "trustdmp"), "adfind-trustdmp",
    AdfindTrust=1, "adfind-ldap-trust",
    PsTrust=1 AND match(CommandLine, "get-adtrust"), "ps-Get-ADTrust",
    PsTrust=1 AND match(CommandLine, "getalltrustrelationships"), "ps-GetAllTrustRelationships",
    PsTrust=1 AND match(CommandLine, "dsenumeratedomaintrusts"), "ps-DSEnumerateDomainTrusts",
    true(), "unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TrustTool, TrustMethod, TrustScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      LOWER("Process Name") LIKE '%nltest.exe%'
      AND (
        LOWER("Command") LIKE '%/domain_trusts%'
        OR LOWER("Command") LIKE '%/all_trusts%'
        OR LOWER("Command") LIKE '%/dclist:%'
        OR LOWER("Command") LIKE '%/trusted_domains%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%adfind%'
      AND (
        LOWER("Command") LIKE '%trustdmp%'
        OR LOWER("Command") LIKE '%trusteddomain%'
        OR LOWER("Command") LIKE '%objectclass=trusteddomain%'
        OR LOWER("Command") LIKE '%objectcategory=trusteddomain%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%powershell%'
      AND (
        LOWER("Command") LIKE '%get-adtrust%'
        OR LOWER("Command") LIKE '%getalltrustrelationships%'
        OR LOWER("Command") LIKE '%dsenumeratedomaintrusts%'
        OR LOWER("Command") LIKE '%getcurrentdomaintrustrelationships%'
        OR LOWER("Command") LIKE '%system.directoryservices.activedirectory.domain%'
        OR LOWER("Command") LIKE '%netapi32%'
      )
    )
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Forwarding Microsoft Endpoint Detection (MDE) via QRadar DSM

Required Tables

events

False Positives

Scheduled domain health scripts executed by IT operations teams that use nltest.exe /domain_trusts for monitoring
Enterprise identity management platforms that enumerate trusts via PowerShell AD module during directory synchronization
Red team or penetration testing engagements using AdFind for authorized Active Directory reconnaissance

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as ProcessImage nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as UserName nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as ComputerName nodrop
| where EventID in ("1", "4688")
| eval ProcessName = toLowerCase(ProcessImage)
| eval CmdLine = toLowerCase(CommandLine)
// Classify trust tool
| eval TrustTool = if(ProcessName matches "*nltest.exe*", "nltest",
    if(ProcessName matches "*adfind*", "adfind",
    if(ProcessName matches "*powershell*" OR ProcessName matches "*pwsh*", "powershell", "other")))
// Score by technique
| eval NltestHit = if(TrustTool="nltest" AND (
    CmdLine matches "*/domain_trusts*" OR CmdLine matches "*/all_trusts*" OR
    CmdLine matches "*/dclist:*" OR CmdLine matches "*/trusted_domains*"), 1, 0)
| eval AdfindHit = if(TrustTool="adfind" AND (
    CmdLine matches "*trustdmp*" OR CmdLine matches "*trusteddomain*" OR
    CmdLine matches "*objectclass=trusteddomain*" OR CmdLine matches "*objectcategory=trusteddomain*"), 1, 0)
| eval PsHit = if(TrustTool="powershell" AND (
    CmdLine matches "*get-adtrust*" OR CmdLine matches "*getalltrustrelationships*" OR
    CmdLine matches "*dsenumeratedomaintrusts*" OR CmdLine matches "*getcurrentdomaintrustrelationships*" OR
    CmdLine matches "*system.directoryservices.activedirectory.domain*" OR CmdLine matches "*netapi32*"), 1, 0)
| eval TrustScore = NltestHit + AdfindHit + PsHit
| where TrustScore > 0
| eval TrustMethod = if(NltestHit=1 AND CmdLine matches "*/domain_trusts*", "nltest-domain_trusts",
    if(NltestHit=1 AND CmdLine matches "*/dclist*", "nltest-dclist",
    if(AdfindHit=1 AND CmdLine matches "*trustdmp*", "adfind-trustdmp",
    if(AdfindHit=1, "adfind-ldap-trust",
    if(PsHit=1 AND CmdLine matches "*get-adtrust*", "ps-Get-ADTrust",
    if(PsHit=1 AND CmdLine matches "*getalltrustrelationships*", "ps-GetAllTrustRelationships",
    if(PsHit=1 AND CmdLine matches "*dsenumeratedomaintrusts*", "ps-DSEnumerateDomainTrusts",
    "unknown")))))))
| fields _messagetime, ComputerName, UserName, ProcessImage, CommandLine, ParentImage, TrustTool, TrustMethod, TrustScore
| sort by _messagetime desc
| limit 500

high severity high confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Log (4688 with command line auditing enabled) CrowdStrike or Carbon Black endpoint via Sumo Logic HTTP source

Required Tables

Sumo Logic partition containing Windows/Sysmon event logs

False Positives

Domain controller health monitoring scripts that call nltest periodically to validate replication and trust links
Active Directory migration tools that use PowerShell Get-ADTrust or DirectoryServices to catalog existing trusts before migration
IT asset inventory platforms that enumerate AD structure including trusts as part of configuration management database (CMDB) population

Google Chronicle / SecOps

yaral

rule t1482_domain_trust_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Domain Trust Discovery (T1482) via nltest.exe, AdFind, and PowerShell trust enumeration commands."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1482"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1482/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $procpath

    (
      // nltest.exe trust enumeration
      (
        re.regex($procpath, `(?i)nltest\.exe$`) and
        (
          re.regex($cmdline, `(?i)/domain_trusts`) or
          re.regex($cmdline, `(?i)/all_trusts`) or
          re.regex($cmdline, `(?i)/dclist:`) or
          re.regex($cmdline, `(?i)/trusted_domains`)
        )
      )
      or
      // AdFind trust enumeration
      (
        re.regex($procpath, `(?i)adfind(64)?\.exe$`) and
        (
          re.regex($cmdline, `(?i)trustdmp`) or
          re.regex($cmdline, `(?i)trustedDomain`) or
          re.regex($cmdline, `(?i)objectclass=trusteddomain`) or
          re.regex($cmdline, `(?i)objectcategory=trusteddomain`)
        )
      )
      or
      // PowerShell .NET and AD module trust enumeration
      (
        re.regex($procpath, `(?i)(powershell|pwsh)\.exe$`) and
        (
          re.regex($cmdline, `(?i)Get-ADTrust`) or
          re.regex($cmdline, `(?i)GetAllTrustRelationships`) or
          re.regex($cmdline, `(?i)DSEnumerateDomainTrusts`) or
          re.regex($cmdline, `(?i)GetCurrentDomainTrustRelationships`) or
          re.regex($cmdline, `(?i)System\.DirectoryServices\.ActiveDirectory\.Domain`) or
          re.regex($cmdline, `(?i)netapi32`) or
          re.regex($cmdline, `(?i)DsEnumerateDomainTrusts`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) via Windows event forwarding Endpoint Detection and Response (EDR) telemetry ingested into Chronicle Sysmon logs parsed into UDM by Chronicle parsers

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

Network engineers or domain admins running nltest /domain_trusts from privileged workstations during routine AD troubleshooting sessions
Automated baseline tooling used during quarterly Active Directory security assessments that catalogs trust relationships
ITSM or CMDB agents using PowerShell AD module to synchronize trust topology information into service management databases

CrowdStrike LogScale (CQL)

cql

// T1482 - Domain Trust Discovery: nltest, AdFind, PowerShell trust enumeration
#event_simpleName=ProcessRollup2
| FileName = /(?i)(nltest\.exe|adfind(64)?\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(/domain_trusts|/all_trusts|/dclist:|/trusted_domains|trustdmp|trustedDomain|objectclass=trusteddomain|objectcategory=trusteddomain|Get-ADTrust|GetAllTrustRelationships|DSEnumerateDomainTrusts|GetCurrentDomainTrustRelationships|GetTrustedDomains|System\.DirectoryServices\.ActiveDirectory\.Domain|netapi32|DsEnumerateDomainTrusts)/
| eval TrustTool = case(
    FileName = /(?i)nltest\.exe$/, "nltest",
    FileName = /(?i)adfind(64)?\.exe$/, "adfind",
    FileName = /(?i)(powershell|pwsh)\.exe$/, "powershell",
    true(), "other"
  )
| eval TrustMethod = case(
    TrustTool = "nltest" AND CommandLine = /(?i)/domain_trusts/, "nltest-domain_trusts",
    TrustTool = "nltest" AND CommandLine = /(?i)/dclist/, "nltest-dclist",
    TrustTool = "adfind" AND CommandLine = /(?i)trustdmp/, "adfind-trustdmp",
    TrustTool = "adfind", "adfind-ldap-trust",
    TrustTool = "powershell" AND CommandLine = /(?i)get-adtrust/, "ps-Get-ADTrust",
    TrustTool = "powershell" AND CommandLine = /(?i)getalltrustrelationships/, "ps-GetAllTrustRelationships",
    TrustTool = "powershell" AND CommandLine = /(?i)dsenumeratedomaintrusts/, "ps-DSEnumerateDomainTrusts",
    true(), "unknown"
  )
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TrustTool, TrustMethod])
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) — ProcessRollup2 events Falcon Data Replicator (FDR) streaming to LogScale Falcon SIEM Connector forwarding endpoint telemetry

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

Privileged IT administrators using nltest.exe to diagnose replication or trust issues in multi-domain environments where such usage is routine
Enterprise Active Directory management tools (e.g., Quest AD Manager, SolarWinds AD Toolset) that internally invoke trust enumeration commands
Authorized red team or blue team exercises where trust discovery is a documented and approved activity on the target environment

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Trust Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections