Which SIEM platforms have a T1482 detection rule?

df00tech provides T1482 (Domain Trust Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Domain Trust Discovery (T1482)?

Detecting Domain Trust Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1482 detection?

The T1482 detection is rated medium severity with high confidence.

What are common false positives for T1482?

Common false positives for T1482 include: Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains; IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting; Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources.

T1482

Domain Trust Discovery

Discovery Last updated: April 19, 2026

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

What is T1482 Domain Trust Discovery?

Domain Trust Discovery (T1482) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Domain Trust Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1482 Domain Trust Discovery
Canonical reference: https://attack.mitre.org/techniques/T1482/

Microsoft Sentinel / Defender

kusto

let NltestTrustArgs = dynamic([
  "/domain_trusts", "/all_trusts", "/dclist:", "/trusted_domains",
  "/domain_trusts /all_trusts"
]);
let AdfindTrustArgs = dynamic([
  "trustdmp", "trustedDomain", "objectclass=trusteddomain",
  "-f\"(objectcategory=trusteddomain)\"", "-f (objectcategory=trusteddomain)"
]);
let PsTrustPatterns = dynamic([
  "Get-ADTrust", "GetAllTrustRelationships", "DSEnumerateDomainTrusts",
  "GetCurrentDomainTrustRelationships", "GetTrustedDomains",
  "System.DirectoryServices.ActiveDirectory.Domain",
  "netapi32", "DsEnumerateDomainTrusts"
]);
let TrustBinaries = dynamic(["nltest.exe", "adfind.exe", "adfind64.exe"]);
// Branch 1: nltest.exe and AdFind direct execution
let BinaryTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TrustBinaries)
| where ProcessCommandLine has_any (NltestTrustArgs)
    or (FileName =~"adfind.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
    or (FileName =~"adfind64.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
| extend TrustTool = "nltest/adfind"
| extend TrustMethod = case(
    ProcessCommandLine has "/domain_trusts", "nltest-domain_trusts",
    ProcessCommandLine has "/dclist", "nltest-dclist",
    ProcessCommandLine has "trustdmp", "adfind-trustdmp",
    ProcessCommandLine has "trusteddomain", "adfind-ldap-trust",
    "other"
);
// Branch 2: PowerShell and .NET-based trust enumeration
let PsTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PsTrustPatterns)
| extend TrustTool = "PowerShell"
| extend TrustMethod = case(
    ProcessCommandLine has "Get-ADTrust", "ps-Get-ADTrust",
    ProcessCommandLine has "GetAllTrustRelationships", "ps-GetAllTrustRelationships",
    ProcessCommandLine has "DSEnumerateDomainTrusts", "ps-DSEnumerateDomainTrusts",
    "ps-other"
);
// Branch 3: net.exe commands revealing domain/forest info used in trust context
let NetTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has_any ("view /domain", "group \"Domain Admins\"")
    and InitiatingProcessFileName in~ ("nltest.exe", "adfind.exe", "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend TrustTool = "net.exe"
| extend TrustMethod = "net-domain-enum";
union BinaryTrustDiscovery, PsTrustDiscovery, NetTrustDiscovery
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName,
         TrustTool, TrustMethod
| sort by Timestamp desc

Detects domain trust enumeration using three branches: (1) nltest.exe and AdFind with trust-specific arguments (/domain_trusts, /all_trusts, trustdmp, objectclass=trusteddomain), (2) PowerShell and .NET methods for trust discovery (Get-ADTrust, GetAllTrustRelationships, DSEnumerateDomainTrusts), and (3) net.exe domain group/view commands spawned by known discovery parent processes. Uses union to correlate all three paths into a single result set with classification of discovery method.

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
// Classify tool used
| eval TrustTool=case(
    match(Image, "nltest\.exe$"), "nltest",
    match(Image, "adfind(64)?\.exe$"), "adfind",
    match(Image, "(powershell|pwsh)\.exe$"), "powershell",
    true(), "other"
  )
// Flag nltest domain trust arguments
| eval NltestTrust=if(
    match(Image, "nltest\.exe$") AND match(CommandLine, "(/domain_trusts|/all_trusts|/dclist:|/trusted_domains)"),
    1, 0
  )
// Flag AdFind trust-related LDAP queries
| eval AdfindTrust=if(
    match(Image, "adfind(64)?\.exe$") AND match(CommandLine, "(trustdmp|trusteddomain|objectclass=trusteddomain|objectcategory=trusteddomain)"),
    1, 0
  )
// Flag PowerShell .NET / AD module trust enumeration
| eval PsTrust=if(
    match(Image, "(powershell|pwsh)\.exe$") AND match(CommandLine, "(get-adtrust|getalltrustrelationships|dsenumeratedomaintrusts|getcurrentdomaintrustrelationships|system\.directoryservices\.activedirectory\.domain|netapi32)"),
    1, 0
  )
// Summarise relevance
| eval TrustScore=NltestTrust + AdfindTrust + PsTrust
| where TrustScore > 0
| eval TrustMethod=case(
    NltestTrust=1 AND match(CommandLine, "/domain_trusts"), "nltest-domain_trusts",
    NltestTrust=1 AND match(CommandLine, "/dclist"), "nltest-dclist",
    AdfindTrust=1 AND match(CommandLine, "trustdmp"), "adfind-trustdmp",
    AdfindTrust=1, "adfind-ldap-trust",
    PsTrust=1 AND match(CommandLine, "get-adtrust"), "ps-Get-ADTrust",
    PsTrust=1 AND match(CommandLine, "getalltrustrelationships"), "ps-GetAllTrustRelationships",
    PsTrust=1 AND match(CommandLine, "dsenumeratedomaintrusts"), "ps-DSEnumerateDomainTrusts",
    true(), "unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TrustTool, TrustMethod, TrustScore
| sort - _time

Detects domain trust discovery using Sysmon Event ID 1 (Process Creation). Classifies activity across three tool categories: nltest.exe with /domain_trusts or /dclist arguments, AdFind/AdFind64 with trustdmp or LDAP objectclass=trusteddomain filters, and PowerShell using AD module Get-ADTrust or .NET GetAllTrustRelationships/DSEnumerateDomainTrusts. Assigns a TrustScore and TrustMethod label to enable priority triage and downstream correlation.

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcessName
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (
      LOWER("Process Name") LIKE '%nltest.exe%'
      AND (
        LOWER("Command") LIKE '%/domain_trusts%'
        OR LOWER("Command") LIKE '%/all_trusts%'
        OR LOWER("Command") LIKE '%/dclist:%'
        OR LOWER("Command") LIKE '%/trusted_domains%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%adfind%'
      AND (
        LOWER("Command") LIKE '%trustdmp%'
        OR LOWER("Command") LIKE '%trusteddomain%'
        OR LOWER("Command") LIKE '%objectclass=trusteddomain%'
        OR LOWER("Command") LIKE '%objectcategory=trusteddomain%'
      )
    )
    OR (
      LOWER("Process Name") LIKE '%powershell%'
      AND (
        LOWER("Command") LIKE '%get-adtrust%'
        OR LOWER("Command") LIKE '%getalltrustrelationships%'
        OR LOWER("Command") LIKE '%dsenumeratedomaintrusts%'
        OR LOWER("Command") LIKE '%getcurrentdomaintrustrelationships%'
        OR LOWER("Command") LIKE '%system.directoryservices.activedirectory.domain%'
        OR LOWER("Command") LIKE '%netapi32%'
      )
    )
  )
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500

Detects Domain Trust Discovery (T1482) in IBM QRadar by querying Windows Security and Sysmon log sources for process executions of nltest.exe, AdFind variants, and PowerShell with arguments known to enumerate Active Directory domain trusts, forest trusts, and external trust relationships.

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows Event Forwarding Microsoft Endpoint Detection (MDE) via QRadar DSM

Required Tables

events

False Positives

Scheduled domain health scripts executed by IT operations teams that use nltest.exe /domain_trusts for monitoring
Enterprise identity management platforms that enumerate trusts via PowerShell AD module during directory synchronization
Red team or penetration testing engagements using AdFind for authorized Active Directory reconnaissance

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as ProcessImage nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as UserName nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as ComputerName nodrop
| where EventID in ("1", "4688")
| eval ProcessName = toLowerCase(ProcessImage)
| eval CmdLine = toLowerCase(CommandLine)
// Classify trust tool
| eval TrustTool = if(ProcessName matches "*nltest.exe*", "nltest",
    if(ProcessName matches "*adfind*", "adfind",
    if(ProcessName matches "*powershell*" OR ProcessName matches "*pwsh*", "powershell", "other")))
// Score by technique
| eval NltestHit = if(TrustTool="nltest" AND (
    CmdLine matches "*/domain_trusts*" OR CmdLine matches "*/all_trusts*" OR
    CmdLine matches "*/dclist:*" OR CmdLine matches "*/trusted_domains*"), 1, 0)
| eval AdfindHit = if(TrustTool="adfind" AND (
    CmdLine matches "*trustdmp*" OR CmdLine matches "*trusteddomain*" OR
    CmdLine matches "*objectclass=trusteddomain*" OR CmdLine matches "*objectcategory=trusteddomain*"), 1, 0)
| eval PsHit = if(TrustTool="powershell" AND (
    CmdLine matches "*get-adtrust*" OR CmdLine matches "*getalltrustrelationships*" OR
    CmdLine matches "*dsenumeratedomaintrusts*" OR CmdLine matches "*getcurrentdomaintrustrelationships*" OR
    CmdLine matches "*system.directoryservices.activedirectory.domain*" OR CmdLine matches "*netapi32*"), 1, 0)
| eval TrustScore = NltestHit + AdfindHit + PsHit
| where TrustScore > 0
| eval TrustMethod = if(NltestHit=1 AND CmdLine matches "*/domain_trusts*", "nltest-domain_trusts",
    if(NltestHit=1 AND CmdLine matches "*/dclist*", "nltest-dclist",
    if(AdfindHit=1 AND CmdLine matches "*trustdmp*", "adfind-trustdmp",
    if(AdfindHit=1, "adfind-ldap-trust",
    if(PsHit=1 AND CmdLine matches "*get-adtrust*", "ps-Get-ADTrust",
    if(PsHit=1 AND CmdLine matches "*getalltrustrelationships*", "ps-GetAllTrustRelationships",
    if(PsHit=1 AND CmdLine matches "*dsenumeratedomaintrusts*", "ps-DSEnumerateDomainTrusts",
    "unknown")))))))
| fields _messagetime, ComputerName, UserName, ProcessImage, CommandLine, ParentImage, TrustTool, TrustMethod, TrustScore
| sort by _messagetime desc
| limit 500

Detects Domain Trust Discovery (T1482) in Sumo Logic by parsing Sysmon Event ID 1 or Security Event 4688 process creation logs to identify nltest.exe, AdFind, and PowerShell executions with trust enumeration arguments. Scores each event by technique matched and classifies the discovery method.

high severity high confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Log (4688 with command line auditing enabled) CrowdStrike or Carbon Black endpoint via Sumo Logic HTTP source

Required Tables

Sumo Logic partition containing Windows/Sysmon event logs

False Positives

Domain controller health monitoring scripts that call nltest periodically to validate replication and trust links
Active Directory migration tools that use PowerShell Get-ADTrust or DirectoryServices to catalog existing trusts before migration
IT asset inventory platforms that enumerate AD structure including trusts as part of configuration management database (CMDB) population

Google Chronicle / SecOps

yaral

rule t1482_domain_trust_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Domain Trust Discovery (T1482) via nltest.exe, AdFind, and PowerShell trust enumeration commands."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1482"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1482/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $procpath

    (
      // nltest.exe trust enumeration
      (
        re.regex($procpath, `(?i)nltest\.exe$`) and
        (
          re.regex($cmdline, `(?i)/domain_trusts`) or
          re.regex($cmdline, `(?i)/all_trusts`) or
          re.regex($cmdline, `(?i)/dclist:`) or
          re.regex($cmdline, `(?i)/trusted_domains`)
        )
      )
      or
      // AdFind trust enumeration
      (
        re.regex($procpath, `(?i)adfind(64)?\.exe$`) and
        (
          re.regex($cmdline, `(?i)trustdmp`) or
          re.regex($cmdline, `(?i)trustedDomain`) or
          re.regex($cmdline, `(?i)objectclass=trusteddomain`) or
          re.regex($cmdline, `(?i)objectcategory=trusteddomain`)
        )
      )
      or
      // PowerShell .NET and AD module trust enumeration
      (
        re.regex($procpath, `(?i)(powershell|pwsh)\.exe$`) and
        (
          re.regex($cmdline, `(?i)Get-ADTrust`) or
          re.regex($cmdline, `(?i)GetAllTrustRelationships`) or
          re.regex($cmdline, `(?i)DSEnumerateDomainTrusts`) or
          re.regex($cmdline, `(?i)GetCurrentDomainTrustRelationships`) or
          re.regex($cmdline, `(?i)System\.DirectoryServices\.ActiveDirectory\.Domain`) or
          re.regex($cmdline, `(?i)netapi32`) or
          re.regex($cmdline, `(?i)DsEnumerateDomainTrusts`)
        )
      )
    )

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule that detects Domain Trust Discovery (T1482) by matching PROCESS_LAUNCH UDM events where the process binary is nltest.exe, AdFind, or PowerShell and the command line contains arguments indicative of Active Directory trust enumeration. Covers all major discovery methods including native binaries, third-party tools, and .NET/AD module calls.

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) via Windows event forwarding Endpoint Detection and Response (EDR) telemetry ingested into Chronicle Sysmon logs parsed into UDM by Chronicle parsers

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

Network engineers or domain admins running nltest /domain_trusts from privileged workstations during routine AD troubleshooting sessions
Automated baseline tooling used during quarterly Active Directory security assessments that catalogs trust relationships
ITSM or CMDB agents using PowerShell AD module to synchronize trust topology information into service management databases

CrowdStrike LogScale (CQL)

cql

// T1482 - Domain Trust Discovery: nltest, AdFind, PowerShell trust enumeration
#event_simpleName=ProcessRollup2
| FileName = /(?i)(nltest\.exe|adfind(64)?\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(/domain_trusts|/all_trusts|/dclist:|/trusted_domains|trustdmp|trustedDomain|objectclass=trusteddomain|objectcategory=trusteddomain|Get-ADTrust|GetAllTrustRelationships|DSEnumerateDomainTrusts|GetCurrentDomainTrustRelationships|GetTrustedDomains|System\.DirectoryServices\.ActiveDirectory\.Domain|netapi32|DsEnumerateDomainTrusts)/
| eval TrustTool = case(
    FileName = /(?i)nltest\.exe$/, "nltest",
    FileName = /(?i)adfind(64)?\.exe$/, "adfind",
    FileName = /(?i)(powershell|pwsh)\.exe$/, "powershell",
    true(), "other"
  )
| eval TrustMethod = case(
    TrustTool = "nltest" AND CommandLine = /(?i)/domain_trusts/, "nltest-domain_trusts",
    TrustTool = "nltest" AND CommandLine = /(?i)/dclist/, "nltest-dclist",
    TrustTool = "adfind" AND CommandLine = /(?i)trustdmp/, "adfind-trustdmp",
    TrustTool = "adfind", "adfind-ldap-trust",
    TrustTool = "powershell" AND CommandLine = /(?i)get-adtrust/, "ps-Get-ADTrust",
    TrustTool = "powershell" AND CommandLine = /(?i)getalltrustrelationships/, "ps-GetAllTrustRelationships",
    TrustTool = "powershell" AND CommandLine = /(?i)dsenumeratedomaintrusts/, "ps-DSEnumerateDomainTrusts",
    true(), "unknown"
  )
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TrustTool, TrustMethod])
| sort timestamp desc

Detects Domain Trust Discovery (T1482) in CrowdStrike Falcon LogScale (CQL) by querying ProcessRollup2 events for nltest.exe, AdFind variants, and PowerShell processes with command-line arguments matching known trust enumeration patterns. Classifies each hit by tool and specific discovery method to support triage.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) — ProcessRollup2 events Falcon Data Replicator (FDR) streaming to LogScale Falcon SIEM Connector forwarding endpoint telemetry

Required Tables

ProcessRollup2 (Falcon event stream)

False Positives

Privileged IT administrators using nltest.exe to diagnose replication or trust issues in multi-domain environments where such usage is routine
Enterprise Active Directory management tools (e.g., Quest AD Manager, SolarWinds AD Toolset) that internally invoke trust enumeration commands
Authorized red team or blue team exercises where trust discovery is a documented and approved activity on the target environment

Sigma rule & cross-platform mapping

The detection logic for Domain Trust Discovery (T1482) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1482 Sigma rules on detection.fyi

Platform-specific guides for T1482

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-19 Research depth: deep

References (10)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1nltest Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.
Test 2nltest DC List Enumeration by Domain
Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.
Test 3PowerShell Get-ADTrust Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.
Test 4AdFind Trust Dump via LDAP
Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.
Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain Trust Discovery

What is T1482 Domain Trust Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1482

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1482 Domain Trust Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1482

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox