T1482 Elastic Security · Elastic

Detect Domain Trust Discovery in Elastic Security

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

MITRE ATT&CK

Tactic
Discovery
Technique
T1482 Domain Trust Discovery
Canonical reference
https://attack.mitre.org/techniques/T1482/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and
    (
      (process.name : ("nltest.exe", "adfind.exe", "adfind64.exe") and
        process.args : ("/domain_trusts", "/all_trusts", "/dclist:*", "/trusted_domains", "trustdmp", "trustedDomain", "objectclass=trusteddomain", "-f*(objectcategory=trusteddomain)*"))
      or
      (process.name : ("powershell.exe", "pwsh.exe") and
        process.args : ("Get-ADTrust", "GetAllTrustRelationships", "DSEnumerateDomainTrusts", "GetCurrentDomainTrustRelationships", "GetTrustedDomains", "System.DirectoryServices.ActiveDirectory.Domain", "netapi32", "DsEnumerateDomainTrusts"))
    )
  ] by process.entity_id
| head 500
high severity high confidence

Detects Domain Trust Discovery (T1482) by identifying process executions of nltest.exe, AdFind, and PowerShell that enumerate Active Directory domain trusts using known arguments and .NET methods. Sequences events per host to correlate multiple trust discovery attempts within a 5-minute window.

Data Sources

Elastic EndpointWinlogbeat with SysmonElastic Agent (process telemetry)

Required Tables

logs-endpoint.events.process-*winlogbeat-*logs-system.*

False Positives & Tuning

  • Domain administrators running nltest.exe as part of routine AD health checks or trust verification scripts
  • IT automation tools (e.g., Ansible, SCCM) that use PowerShell Get-ADTrust for domain inventory reporting
  • Security tools or vulnerability scanners performing Active Directory enumeration as part of authorized assessments
Download portable Sigma rule (.yml)

Other platforms for T1482

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nltest Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.

  2. Test 2nltest DC List Enumeration by Domain

    Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.

  3. Test 3PowerShell Get-ADTrust Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.

  4. Test 4AdFind Trust Dump via LDAP

    Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.

  5. Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1087.002Domain AccountT1069.002Domain GroupsT1550.003Pass the TicketT1134.005SID-History InjectionT1558.003KerberoastingT1615Group Policy DiscoveryT1016System Network Configuration DiscoveryT1021.002SMB/Windows Admin SharesT1059.001PowerShell

Same Tactic: Discovery

Popular Detections