T1482 Microsoft Sentinel · KQL

Detect Domain Trust Discovery in Microsoft Sentinel

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

MITRE ATT&CK

Tactic
Discovery
Technique
T1482 Domain Trust Discovery
Canonical reference
https://attack.mitre.org/techniques/T1482/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let NltestTrustArgs = dynamic([
  "/domain_trusts", "/all_trusts", "/dclist:", "/trusted_domains",
  "/domain_trusts /all_trusts"
]);
let AdfindTrustArgs = dynamic([
  "trustdmp", "trustedDomain", "objectclass=trusteddomain",
  "-f\"(objectcategory=trusteddomain)\"", "-f (objectcategory=trusteddomain)"
]);
let PsTrustPatterns = dynamic([
  "Get-ADTrust", "GetAllTrustRelationships", "DSEnumerateDomainTrusts",
  "GetCurrentDomainTrustRelationships", "GetTrustedDomains",
  "System.DirectoryServices.ActiveDirectory.Domain",
  "netapi32", "DsEnumerateDomainTrusts"
]);
let TrustBinaries = dynamic(["nltest.exe", "adfind.exe", "adfind64.exe"]);
// Branch 1: nltest.exe and AdFind direct execution
let BinaryTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TrustBinaries)
| where ProcessCommandLine has_any (NltestTrustArgs)
    or (FileName =~"adfind.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
    or (FileName =~"adfind64.exe" and ProcessCommandLine has_any (AdfindTrustArgs))
| extend TrustTool = "nltest/adfind"
| extend TrustMethod = case(
    ProcessCommandLine has "/domain_trusts", "nltest-domain_trusts",
    ProcessCommandLine has "/dclist", "nltest-dclist",
    ProcessCommandLine has "trustdmp", "adfind-trustdmp",
    ProcessCommandLine has "trusteddomain", "adfind-ldap-trust",
    "other"
);
// Branch 2: PowerShell and .NET-based trust enumeration
let PsTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (PsTrustPatterns)
| extend TrustTool = "PowerShell"
| extend TrustMethod = case(
    ProcessCommandLine has "Get-ADTrust", "ps-Get-ADTrust",
    ProcessCommandLine has "GetAllTrustRelationships", "ps-GetAllTrustRelationships",
    ProcessCommandLine has "DSEnumerateDomainTrusts", "ps-DSEnumerateDomainTrusts",
    "ps-other"
);
// Branch 3: net.exe commands revealing domain/forest info used in trust context
let NetTrustDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has_any ("view /domain", "group \"Domain Admins\"")
    and InitiatingProcessFileName in~ ("nltest.exe", "adfind.exe", "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend TrustTool = "net.exe"
| extend TrustMethod = "net-domain-enum";
union BinaryTrustDiscovery, PsTrustDiscovery, NetTrustDiscovery
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName,
         TrustTool, TrustMethod
| sort by Timestamp desc
medium severity high confidence

Detects domain trust enumeration using three branches: (1) nltest.exe and AdFind with trust-specific arguments (/domain_trusts, /all_trusts, trustdmp, objectclass=trusteddomain), (2) PowerShell and .NET methods for trust discovery (Get-ADTrust, GetAllTrustRelationships, DSEnumerateDomainTrusts), and (3) net.exe domain group/view commands spawned by known discovery parent processes. Uses union to correlate all three paths into a single result set with classification of discovery method.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
  • IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
  • Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
  • Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
  • SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents
Download portable Sigma rule (.yml)

Other platforms for T1482

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nltest Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.

  2. Test 2nltest DC List Enumeration by Domain

    Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.

  3. Test 3PowerShell Get-ADTrust Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.

  4. Test 4AdFind Trust Dump via LDAP

    Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.

  5. Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1087.002Domain AccountT1069.002Domain GroupsT1550.003Pass the TicketT1134.005SID-History InjectionT1558.003KerberoastingT1615Group Policy DiscoveryT1016System Network Configuration DiscoveryT1021.002SMB/Windows Admin SharesT1059.001PowerShell

Same Tactic: Discovery

Popular Detections