Detect Domain Trust Discovery in CrowdStrike LogScale
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1482 Domain Trust Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1482/
LogScale Detection Query
// T1482 - Domain Trust Discovery: nltest, AdFind, PowerShell trust enumeration
#event_simpleName=ProcessRollup2
| FileName = /(?i)(nltest\.exe|adfind(64)?\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(/domain_trusts|/all_trusts|/dclist:|/trusted_domains|trustdmp|trustedDomain|objectclass=trusteddomain|objectcategory=trusteddomain|Get-ADTrust|GetAllTrustRelationships|DSEnumerateDomainTrusts|GetCurrentDomainTrustRelationships|GetTrustedDomains|System\.DirectoryServices\.ActiveDirectory\.Domain|netapi32|DsEnumerateDomainTrusts)/
| eval TrustTool = case(
FileName = /(?i)nltest\.exe$/, "nltest",
FileName = /(?i)adfind(64)?\.exe$/, "adfind",
FileName = /(?i)(powershell|pwsh)\.exe$/, "powershell",
true(), "other"
)
| eval TrustMethod = case(
TrustTool = "nltest" AND CommandLine = /(?i)/domain_trusts/, "nltest-domain_trusts",
TrustTool = "nltest" AND CommandLine = /(?i)/dclist/, "nltest-dclist",
TrustTool = "adfind" AND CommandLine = /(?i)trustdmp/, "adfind-trustdmp",
TrustTool = "adfind", "adfind-ldap-trust",
TrustTool = "powershell" AND CommandLine = /(?i)get-adtrust/, "ps-Get-ADTrust",
TrustTool = "powershell" AND CommandLine = /(?i)getalltrustrelationships/, "ps-GetAllTrustRelationships",
TrustTool = "powershell" AND CommandLine = /(?i)dsenumeratedomaintrusts/, "ps-DSEnumerateDomainTrusts",
true(), "unknown"
)
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, TrustTool, TrustMethod])
| sort timestamp descDetects Domain Trust Discovery (T1482) in CrowdStrike Falcon LogScale (CQL) by querying ProcessRollup2 events for nltest.exe, AdFind variants, and PowerShell processes with command-line arguments matching known trust enumeration patterns. Classifies each hit by tool and specific discovery method to support triage.
Data Sources
Required Tables
False Positives & Tuning
- Privileged IT administrators using nltest.exe to diagnose replication or trust issues in multi-domain environments where such usage is routine
- Enterprise Active Directory management tools (e.g., Quest AD Manager, SolarWinds AD Toolset) that internally invoke trust enumeration commands
- Authorized red team or blue team exercises where trust discovery is a documented and approved activity on the target environment
Other platforms for T1482
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nltest Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.
- Test 2nltest DC List Enumeration by Domain
Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.
- Test 3PowerShell Get-ADTrust Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.
- Test 4AdFind Trust Dump via LDAP
Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.
- Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.
References (10)
- https://attack.mitre.org/techniques/T1482/
- https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944
- https://adsecurity.org/?p=1588
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships
- https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://www.arcticicwolf.com/resource-library/akira-ransomware-actor-ttps
Unlock Pro Content
Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.