Which SIEM platforms have a T1482 detection rule?

df00tech provides T1482 (Domain Trust Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Domain Trust Discovery (T1482)?

Detecting Domain Trust Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1482 detection?

The T1482 detection is rated medium severity with high confidence.

What are common false positives for T1482?

Common false positives for T1482 include: Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains; IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting; Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources.

T1482 Google Chronicle · YARA-L

Detect Domain Trust Discovery in Google Chronicle

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

MITRE ATT&CK

Tactic: Discovery
Technique: T1482 Domain Trust Discovery
Canonical reference: https://attack.mitre.org/techniques/T1482/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule t1482_domain_trust_discovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Domain Trust Discovery (T1482) via nltest.exe, AdFind, and PowerShell trust enumeration commands."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1482"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1482/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $procpath

    (
      // nltest.exe trust enumeration
      (
        re.regex($procpath, `(?i)nltest\.exe$`) and
        (
          re.regex($cmdline, `(?i)/domain_trusts`) or
          re.regex($cmdline, `(?i)/all_trusts`) or
          re.regex($cmdline, `(?i)/dclist:`) or
          re.regex($cmdline, `(?i)/trusted_domains`)
        )
      )
      or
      // AdFind trust enumeration
      (
        re.regex($procpath, `(?i)adfind(64)?\.exe$`) and
        (
          re.regex($cmdline, `(?i)trustdmp`) or
          re.regex($cmdline, `(?i)trustedDomain`) or
          re.regex($cmdline, `(?i)objectclass=trusteddomain`) or
          re.regex($cmdline, `(?i)objectcategory=trusteddomain`)
        )
      )
      or
      // PowerShell .NET and AD module trust enumeration
      (
        re.regex($procpath, `(?i)(powershell|pwsh)\.exe$`) and
        (
          re.regex($cmdline, `(?i)Get-ADTrust`) or
          re.regex($cmdline, `(?i)GetAllTrustRelationships`) or
          re.regex($cmdline, `(?i)DSEnumerateDomainTrusts`) or
          re.regex($cmdline, `(?i)GetCurrentDomainTrustRelationships`) or
          re.regex($cmdline, `(?i)System\.DirectoryServices\.ActiveDirectory\.Domain`) or
          re.regex($cmdline, `(?i)netapi32`) or
          re.regex($cmdline, `(?i)DsEnumerateDomainTrusts`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Google Chronicle YARA-L 2.0 rule that detects Domain Trust Discovery (T1482) by matching PROCESS_LAUNCH UDM events where the process binary is nltest.exe, AdFind, or PowerShell and the command line contains arguments indicative of Active Directory trust enumeration. Covers all major discovery methods including native binaries, third-party tools, and .NET/AD module calls.

Data Sources

Google Chronicle UDM (Unified Data Model) via Windows event forwardingEndpoint Detection and Response (EDR) telemetry ingested into ChronicleSysmon logs parsed into UDM by Chronicle parsers

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives & Tuning

Network engineers or domain admins running nltest /domain_trusts from privileged workstations during routine AD troubleshooting sessions
Automated baseline tooling used during quarterly Active Directory security assessments that catalogs trust relationships
ITSM or CMDB agents using PowerShell AD module to synchronize trust topology information into service management databases

Download portable Sigma rule (.yml)

Other platforms for T1482

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1nltest Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.
Test 2nltest DC List Enumeration by Domain
Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.
Test 3PowerShell Get-ADTrust Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.
Test 4AdFind Trust Dump via LDAP
Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.
Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1087.002Domain Account T1069.002Domain Groups T1550.003Pass the Ticket T1134.005SID-History Injection T1558.003Kerberoasting T1615Group Policy Discovery T1016System Network Configuration Discovery T1021.002SMB/Windows Admin Shares T1059.001PowerShell

Detect Domain Trust Discovery in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1482

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1482

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox