Detect Domain Trust Discovery in IBM QRadar
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1482 Domain Trust Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1482/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
username AS Username,
"hostname" AS Hostname,
QIDNAME(qid) AS EventName,
"Process Name" AS ProcessName,
"Command" AS CommandLine,
"Parent Process Name" AS ParentProcessName
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(
LOWER("Process Name") LIKE '%nltest.exe%'
AND (
LOWER("Command") LIKE '%/domain_trusts%'
OR LOWER("Command") LIKE '%/all_trusts%'
OR LOWER("Command") LIKE '%/dclist:%'
OR LOWER("Command") LIKE '%/trusted_domains%'
)
)
OR (
LOWER("Process Name") LIKE '%adfind%'
AND (
LOWER("Command") LIKE '%trustdmp%'
OR LOWER("Command") LIKE '%trusteddomain%'
OR LOWER("Command") LIKE '%objectclass=trusteddomain%'
OR LOWER("Command") LIKE '%objectcategory=trusteddomain%'
)
)
OR (
LOWER("Process Name") LIKE '%powershell%'
AND (
LOWER("Command") LIKE '%get-adtrust%'
OR LOWER("Command") LIKE '%getalltrustrelationships%'
OR LOWER("Command") LIKE '%dsenumeratedomaintrusts%'
OR LOWER("Command") LIKE '%getcurrentdomaintrustrelationships%'
OR LOWER("Command") LIKE '%system.directoryservices.activedirectory.domain%'
OR LOWER("Command") LIKE '%netapi32%'
)
)
)
AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500Detects Domain Trust Discovery (T1482) in IBM QRadar by querying Windows Security and Sysmon log sources for process executions of nltest.exe, AdFind variants, and PowerShell with arguments known to enumerate Active Directory domain trusts, forest trusts, and external trust relationships.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled domain health scripts executed by IT operations teams that use nltest.exe /domain_trusts for monitoring
- Enterprise identity management platforms that enumerate trusts via PowerShell AD module during directory synchronization
- Red team or penetration testing engagements using AdFind for authorized Active Directory reconnaissance
Other platforms for T1482
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nltest Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.
- Test 2nltest DC List Enumeration by Domain
Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.
- Test 3PowerShell Get-ADTrust Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.
- Test 4AdFind Trust Dump via LDAP
Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.
- Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.
References (10)
- https://attack.mitre.org/techniques/T1482/
- https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944
- https://adsecurity.org/?p=1588
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships
- https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://www.arcticicwolf.com/resource-library/akira-ransomware-actor-ttps
Unlock Pro Content
Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.