T1482 Splunk · SPL

Detect Domain Trust Discovery in Splunk

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.

MITRE ATT&CK

Tactic
Discovery
Technique
T1482 Domain Trust Discovery
Canonical reference
https://attack.mitre.org/techniques/T1482/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval Image=lower(Image), CommandLine=lower(CommandLine), ParentImage=lower(ParentImage)
// Classify tool used
| eval TrustTool=case(
    match(Image, "nltest\.exe$"), "nltest",
    match(Image, "adfind(64)?\.exe$"), "adfind",
    match(Image, "(powershell|pwsh)\.exe$"), "powershell",
    true(), "other"
  )
// Flag nltest domain trust arguments
| eval NltestTrust=if(
    match(Image, "nltest\.exe$") AND match(CommandLine, "(/domain_trusts|/all_trusts|/dclist:|/trusted_domains)"),
    1, 0
  )
// Flag AdFind trust-related LDAP queries
| eval AdfindTrust=if(
    match(Image, "adfind(64)?\.exe$") AND match(CommandLine, "(trustdmp|trusteddomain|objectclass=trusteddomain|objectcategory=trusteddomain)"),
    1, 0
  )
// Flag PowerShell .NET / AD module trust enumeration
| eval PsTrust=if(
    match(Image, "(powershell|pwsh)\.exe$") AND match(CommandLine, "(get-adtrust|getalltrustrelationships|dsenumeratedomaintrusts|getcurrentdomaintrustrelationships|system\.directoryservices\.activedirectory\.domain|netapi32)"),
    1, 0
  )
// Summarise relevance
| eval TrustScore=NltestTrust + AdfindTrust + PsTrust
| where TrustScore > 0
| eval TrustMethod=case(
    NltestTrust=1 AND match(CommandLine, "/domain_trusts"), "nltest-domain_trusts",
    NltestTrust=1 AND match(CommandLine, "/dclist"), "nltest-dclist",
    AdfindTrust=1 AND match(CommandLine, "trustdmp"), "adfind-trustdmp",
    AdfindTrust=1, "adfind-ldap-trust",
    PsTrust=1 AND match(CommandLine, "get-adtrust"), "ps-Get-ADTrust",
    PsTrust=1 AND match(CommandLine, "getalltrustrelationships"), "ps-GetAllTrustRelationships",
    PsTrust=1 AND match(CommandLine, "dsenumeratedomaintrusts"), "ps-DSEnumerateDomainTrusts",
    true(), "unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TrustTool, TrustMethod, TrustScore
| sort - _time
medium severity high confidence

Detects domain trust discovery using Sysmon Event ID 1 (Process Creation). Classifies activity across three tool categories: nltest.exe with /domain_trusts or /dclist arguments, AdFind/AdFind64 with trustdmp or LDAP objectclass=trusteddomain filters, and PowerShell using AD module Get-ADTrust or .NET GetAllTrustRelationships/DSEnumerateDomainTrusts. Assigns a TrustScore and TrustMethod label to enable priority triage and downstream correlation.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
  • IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting
  • Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
  • Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
  • SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents
Download portable Sigma rule (.yml)

Other platforms for T1482

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nltest Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.

  2. Test 2nltest DC List Enumeration by Domain

    Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.

  3. Test 3PowerShell Get-ADTrust Domain Trust Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.

  4. Test 4AdFind Trust Dump via LDAP

    Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.

  5. Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1087.002Domain AccountT1069.002Domain GroupsT1550.003Pass the TicketT1134.005SID-History InjectionT1558.003KerberoastingT1615Group Policy DiscoveryT1016System Network Configuration DiscoveryT1021.002SMB/Windows Admin SharesT1059.001PowerShell

Same Tactic: Discovery

Popular Detections