Detect Domain Trust Discovery in Sumo Logic CSE
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1482 Domain Trust Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1482/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as ProcessImage nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as UserName nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as ComputerName nodrop
| where EventID in ("1", "4688")
| eval ProcessName = toLowerCase(ProcessImage)
| eval CmdLine = toLowerCase(CommandLine)
// Classify trust tool
| eval TrustTool = if(ProcessName matches "*nltest.exe*", "nltest",
if(ProcessName matches "*adfind*", "adfind",
if(ProcessName matches "*powershell*" OR ProcessName matches "*pwsh*", "powershell", "other")))
// Score by technique
| eval NltestHit = if(TrustTool="nltest" AND (
CmdLine matches "*/domain_trusts*" OR CmdLine matches "*/all_trusts*" OR
CmdLine matches "*/dclist:*" OR CmdLine matches "*/trusted_domains*"), 1, 0)
| eval AdfindHit = if(TrustTool="adfind" AND (
CmdLine matches "*trustdmp*" OR CmdLine matches "*trusteddomain*" OR
CmdLine matches "*objectclass=trusteddomain*" OR CmdLine matches "*objectcategory=trusteddomain*"), 1, 0)
| eval PsHit = if(TrustTool="powershell" AND (
CmdLine matches "*get-adtrust*" OR CmdLine matches "*getalltrustrelationships*" OR
CmdLine matches "*dsenumeratedomaintrusts*" OR CmdLine matches "*getcurrentdomaintrustrelationships*" OR
CmdLine matches "*system.directoryservices.activedirectory.domain*" OR CmdLine matches "*netapi32*"), 1, 0)
| eval TrustScore = NltestHit + AdfindHit + PsHit
| where TrustScore > 0
| eval TrustMethod = if(NltestHit=1 AND CmdLine matches "*/domain_trusts*", "nltest-domain_trusts",
if(NltestHit=1 AND CmdLine matches "*/dclist*", "nltest-dclist",
if(AdfindHit=1 AND CmdLine matches "*trustdmp*", "adfind-trustdmp",
if(AdfindHit=1, "adfind-ldap-trust",
if(PsHit=1 AND CmdLine matches "*get-adtrust*", "ps-Get-ADTrust",
if(PsHit=1 AND CmdLine matches "*getalltrustrelationships*", "ps-GetAllTrustRelationships",
if(PsHit=1 AND CmdLine matches "*dsenumeratedomaintrusts*", "ps-DSEnumerateDomainTrusts",
"unknown")))))))
| fields _messagetime, ComputerName, UserName, ProcessImage, CommandLine, ParentImage, TrustTool, TrustMethod, TrustScore
| sort by _messagetime desc
| limit 500Detects Domain Trust Discovery (T1482) in Sumo Logic by parsing Sysmon Event ID 1 or Security Event 4688 process creation logs to identify nltest.exe, AdFind, and PowerShell executions with trust enumeration arguments. Scores each event by technique matched and classifies the discovery method.
Data Sources
Required Tables
False Positives & Tuning
- Domain controller health monitoring scripts that call nltest periodically to validate replication and trust links
- Active Directory migration tools that use PowerShell Get-ADTrust or DirectoryServices to catalog existing trusts before migration
- IT asset inventory platforms that enumerate AD structure including trusts as part of configuration management database (CMDB) population
Other platforms for T1482
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nltest Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine containing '/domain_trusts /all_trusts'. Security Event ID 4688 (if command line auditing enabled). Network traffic: LDAP queries (port 389) to the domain controller to resolve trust objects.
- Test 2nltest DC List Enumeration by Domain
Expected signal: Sysmon Event ID 1: Process Create with Image=nltest.exe, CommandLine containing '/dclist:'. DNS resolution queries for _ldap._tcp.dc._msdcs.<domain> and Kerberos (port 88) or LDAP (port 389) outbound connections to domain controllers.
- Test 3PowerShell Get-ADTrust Domain Trust Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with the full command. LDAP traffic (port 389/636) to a domain controller querying the trustedDomain object class. Security Event ID 4662 on the DC for directory object access.
- Test 4AdFind Trust Dump via LDAP
Expected signal: Sysmon Event ID 1: Process Create with Image matching adfind.exe, CommandLine containing '(objectcategory=trusteddomain)'. Sysmon Event ID 3: LDAP network connection (port 389) from adfind.exe to the domain controller IP. Security Event ID 4662 on the DC showing directory object access for the trustedDomain class. File creation of adfind.exe triggers Sysmon Event ID 11 if the binary was just dropped.
- Test 5PowerShell .NET GetAllTrustRelationships via DirectoryServices
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'GetAllTrustRelationships' and 'System.DirectoryServices.ActiveDirectory.Domain'. PowerShell ScriptBlock Log Event ID 4104. Outbound LDAP connection (port 389) to a domain controller to resolve trust objects.
References (10)
- https://attack.mitre.org/techniques/T1482/
- https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944
- https://adsecurity.org/?p=1588
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships
- https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://www.arcticicwolf.com/resource-library/akira-ransomware-actor-ttps
Unlock Pro Content
Get the full detection package for T1482 including response playbook, investigation guide, and atomic red team tests.