T1590.003

Network Trust Dependencies

Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. This includes identifying second or third-party organizations such as managed service providers (MSPs), contractors, and partner organizations that have privileged or elevated network access to the target environment. Adversaries gather this information through direct elicitation (spear phishing for information), public sources (LinkedIn, company websites, job postings revealing MSP/vendor relationships), WHOIS/DNS records, and Active Directory trust enumeration once they have initial internal access. Internally, this manifests as enumeration of Active Directory domain and forest trusts using built-in tools (nltest.exe, netdom.exe), PowerShell AD cmdlets (Get-ADTrust, Get-ADForest), or LDAP queries targeting trustedDomain objects. Externally, adversaries may discover trust relationships from public BGP routing data, certificate transparency logs, or OSINT tools targeting organizational infrastructure. The intelligence gathered enables attacks via trusted third-party relationships (T1199), supply chain compromise (T1195), or credential abuse against MSP-managed accounts.

Microsoft Sentinel / Defender

kusto

let TrustEnumProcesses = dynamic(["nltest.exe", "netdom.exe"]);
let TrustEnumPSPatterns = dynamic([
  "Get-ADTrust", "Get-ADForest", "Get-ADDomain",
  "domain_trusts", "/domain_trusts", "/all_trusts", "/trusted_domains",
  "TRUST_QUERY_INFO", "LSA_TRUSTED_DOMAIN_INFO",
  "NetEnumerateTrustedDomains", "DsEnumerateDomainTrusts",
  "trustedDomain", "trustDirection", "trustAttributes"
]);
let NltestTrustArgs = dynamic([
  "/domain_trusts", "/all_trusts", "/trusted_domains",
  "/dclist", "/dsgetsite", "/parentdomain"
]);
// Branch 1: Direct trust enumeration tools
let ProcessBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "nltest.exe" and ProcessCommandLine has_any (NltestTrustArgs))
    or (FileName =~ "netdom.exe" and ProcessCommandLine has_any ("trust", "query", "/enumerate_principals"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (TrustEnumPSPatterns))
    or (FileName =~ "net.exe" and ProcessCommandLine has "/domain")
    or (FileName =~ "dsquery.exe" and ProcessCommandLine has_any ("trustedDomain", "trust"))
| extend DetectionType = case(
    FileName =~ "nltest.exe", "NltestTrustEnum",
    FileName =~ "netdom.exe", "NetdomTrustEnum",
    FileName in~ ("powershell.exe", "pwsh.exe"), "PowerShellADTrustEnum",
    FileName =~ "net.exe", "NetViewDomainEnum",
    "DsqueryTrustEnum"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Branch 2: Security Event 4662 — LDAP access to trustedDomain objects
let LDAPBranch = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4662
| where ObjectType has_any ("trustedDomain", "domainDNS")
| where AccessMask in ("0x100", "0x20000", "0x1") // READ_PROPERTY, CONTROL_ACCESS, READ_GENERAL
| extend DetectionType = "LDAPTrustedDomainAccess"
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
         FileName=tostring(""), ProcessCommandLine=ObjectName,
         InitiatingProcessFileName=tostring(""), InitiatingProcessCommandLine=tostring(""),
         DetectionType;
union ProcessBranch, LDAPBranch
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation DS0026: Active Directory Object Access Microsoft Defender for Endpoint Microsoft Sentinel SecurityEvent (Windows Security Log)

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Domain administrators legitimately running nltest.exe /domain_trusts during infrastructure audits or troubleshooting inter-domain authentication issues
Automated monitoring scripts using Get-ADTrust or Get-ADForest to verify trust health and alert on unexpected trust additions
Identity governance tools (SailPoint, Saviynt, CyberArk) that enumerate domain trusts during discovery scans
Microsoft Entra Connect (Azure AD Connect) synchronization service regularly querying forest/domain trust topology
IT helpdesk staff troubleshooting cross-domain resource access using netdom.exe or nltest.exe
Security posture assessment tools (Bloodhound Enterprise, Purple Knight) authorized to enumerate AD trust relationships

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4662)
)
| eval DetectionBranch=case(
    EventCode=1 AND (match(Image, "(?i)\\\\nltest\.exe$") AND match(CommandLine, "(?i)(/domain_trusts|/all_trusts|/trusted_domains|/dclist|/parentdomain)")), "NltestTrustEnum",
    EventCode=1 AND (match(Image, "(?i)\\\\netdom\.exe$") AND match(CommandLine, "(?i)(trust|query|enumerate_principals)")), "NetdomTrustEnum",
    EventCode=1 AND (match(Image, "(?i)\\\\(powershell|pwsh)\.exe$") AND match(CommandLine, "(?i)(Get-ADTrust|Get-ADForest|Get-ADDomain|domain_trusts|trustedDomain|trustDirection|trustAttributes|DsEnumerateDomainTrusts)")), "PowerShellADTrustEnum",
    EventCode=1 AND (match(Image, "(?i)\\\\net\.exe$") AND match(CommandLine, "(?i)/domain")), "NetViewDomainEnum",
    EventCode=1 AND (match(Image, "(?i)\\\\dsquery\.exe$") AND match(CommandLine, "(?i)(trustedDomain|trust)")), "DsqueryTrustEnum",
    EventCode=4662 AND match(ObjectType, "(?i)(trustedDomain|domainDNS)"), "LDAPTrustedDomainAccess",
    true(), null()
  )
| where isnotnull(DetectionBranch)
| eval Actor=case(
    EventCode=1, User,
    EventCode=4662, SubjectUserName,
    "unknown"
  )
| eval TargetObject=case(
    EventCode=1, CommandLine,
    EventCode=4662, ObjectName,
    ""
  )
| eval ParentProcess=case(
    EventCode=1, ParentImage,
    true(), ""
  )
| table _time, host, Actor, Image, TargetObject, ParentProcess, DetectionBranch
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation DS0026: Active Directory Object Access Sysmon Event ID 1 Windows Security Event ID 4662

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Domain administrators legitimately running nltest.exe /domain_trusts during infrastructure audits or troubleshooting inter-domain authentication issues
Automated monitoring scripts using Get-ADTrust or Get-ADForest to verify trust health and alert on unexpected trust additions
Identity governance tools (SailPoint, Saviynt, CyberArk) that enumerate domain trusts during discovery scans
Microsoft Entra Connect (Azure AD Connect) synchronization service regularly querying forest/domain trust topology
IT helpdesk staff troubleshooting cross-domain resource access using netdom.exe or nltest.exe
Security posture assessment tools (Bloodhound Enterprise, Purple Knight) authorized to enumerate AD trust relationships

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "QIDNAME"(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "filename",
  "commandline",
  "parentprocessname",
  CASE
    WHEN LOWER("filename") LIKE '%nltest.exe%'
      AND (LOWER("commandline") LIKE '%/domain_trusts%'
           OR LOWER("commandline") LIKE '%/all_trusts%'
           OR LOWER("commandline") LIKE '%/trusted_domains%'
           OR LOWER("commandline") LIKE '%/dclist%'
           OR LOWER("commandline") LIKE '%/parentdomain%')
      THEN 'NltestTrustEnum'
    WHEN LOWER("filename") LIKE '%netdom.exe%'
      AND (LOWER("commandline") LIKE '%trust%'
           OR LOWER("commandline") LIKE '%query%'
           OR LOWER("commandline") LIKE '%enumerate_principals%')
      THEN 'NetdomTrustEnum'
    WHEN (LOWER("filename") LIKE '%powershell.exe%' OR LOWER("filename") LIKE '%pwsh.exe%')
      AND (LOWER("commandline") LIKE '%get-adtrust%'
           OR LOWER("commandline") LIKE '%get-adforest%'
           OR LOWER("commandline") LIKE '%get-addomain%'
           OR LOWER("commandline") LIKE '%trustedDomain%'
           OR LOWER("commandline") LIKE '%trustdirection%'
           OR LOWER("commandline") LIKE '%dsenumeratedomaintrusts%')
      THEN 'PowerShellADTrustEnum'
    WHEN LOWER("filename") LIKE '%net.exe%'
      AND LOWER("commandline") LIKE '%/domain%'
      THEN 'NetViewDomainEnum'
    WHEN LOWER("filename") LIKE '%dsquery.exe%'
      AND (LOWER("commandline") LIKE '%trusteddomain%'
           OR LOWER("commandline") LIKE '%trust%')
      THEN 'DsqueryTrustEnum'
    WHEN "EventID" = '4662'
      AND (LOWER("ObjectType") LIKE '%trusteddomain%'
           OR LOWER("ObjectType") LIKE '%domaindns%')
      THEN 'LDAPTrustedDomainAccess'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)  -- Windows Security, Sysmon, Windows Application, System
  AND starttime > NOW() - 86400 SECONDS
  AND (
    ("EventID" IN ('1', '4688') AND (
      (LOWER("filename") LIKE '%nltest.exe%' AND (
        LOWER("commandline") LIKE '%/domain_trusts%'
        OR LOWER("commandline") LIKE '%/all_trusts%'
        OR LOWER("commandline") LIKE '%/trusted_domains%'
        OR LOWER("commandline") LIKE '%/dclist%'
        OR LOWER("commandline") LIKE '%/parentdomain%'
      ))
      OR (LOWER("filename") LIKE '%netdom.exe%' AND (
        LOWER("commandline") LIKE '%trust%'
        OR LOWER("commandline") LIKE '%query%'
      ))
      OR ((LOWER("filename") LIKE '%powershell.exe%' OR LOWER("filename") LIKE '%pwsh.exe%') AND (
        LOWER("commandline") LIKE '%get-adtrust%'
        OR LOWER("commandline") LIKE '%get-adforest%'
        OR LOWER("commandline") LIKE '%trustedDomain%'
        OR LOWER("commandline") LIKE '%dsenumeratedomaintrusts%'
      ))
      OR (LOWER("filename") LIKE '%dsquery.exe%' AND LOWER("commandline") LIKE '%trusteddomain%')
    ))
    OR ("EventID" = '4662' AND (
      LOWER("ObjectType") LIKE '%trusteddomain%'
      OR LOWER("ObjectType") LIKE '%domaindns%'
    ) AND "AccessMask" IN ('0x100', '0x20000', '0x1'))
  )
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

Windows Security Event Log (WinCollect or DSM) Microsoft Sysmon via WinCollect Windows Event Log DSM

Required Tables

events

False Positives

Domain admin helpdesk tooling querying trust relationships for support tickets or user access troubleshooting
Centralized IAM platforms (SailPoint, CyberArk) performing periodic AD forest discovery to update access model
Backup and DR tools enumerating domain topology for cross-domain restore operations

Sumo Logic CSE

sql

_sourceCategory=windows* ("nltest.exe" OR "netdom.exe" OR "powershell.exe" OR "pwsh.exe" OR "dsquery.exe" OR "net.exe" OR EventCode=4662)
| parse field=_raw "<EventID>*</EventID>" as EventCode nodrop
| parse field=_raw "<Image>*</Image>" as Image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as ParentImage nodrop
| parse field=_raw "<User>*</User>" as Actor nodrop
| parse field=_raw "<SubjectUserName>*</SubjectUserName>" as SubjectUser nodrop
| parse field=_raw "<ObjectType>*</ObjectType>" as ObjectType nodrop
| parse field=_raw "<ObjectName>*</ObjectName>" as ObjectName nodrop
| parse field=_raw "<AccessMask>*</AccessMask>" as AccessMask nodrop
| parse field=_raw "<Computer>*</Computer>" as Computer nodrop
| where (
    (EventCode = "1" and (
      (matches(Image, "(?i).*\\nltest\.exe$") and matches(CommandLine, "(?i)(/domain_trusts|/all_trusts|/trusted_domains|/dclist|/parentdomain|/dsgetsite)"))
      or (matches(Image, "(?i).*\\netdom\.exe$") and matches(CommandLine, "(?i)(trust|query|enumerate_principals)"))
      or (matches(Image, "(?i).*\\(powershell|pwsh)\.exe$") and matches(CommandLine, "(?i)(Get-ADTrust|Get-ADForest|Get-ADDomain|trustedDomain|trustDirection|trustAttributes|DsEnumerateDomainTrusts|NetEnumerateTrustedDomains)"))
      or (matches(Image, "(?i).*\\net\.exe$") and matches(CommandLine, "(?i)/domain"))
      or (matches(Image, "(?i).*\\dsquery\.exe$") and matches(CommandLine, "(?i)(trustedDomain|trust)"))
    ))
    or (EventCode = "4662" and matches(ObjectType, "(?i)(trustedDomain|domainDNS)") and AccessMask in ("0x100", "0x20000", "0x1"))
  )
| eval DetectionType = if(EventCode = "1" and matches(Image, "(?i).*\\nltest\.exe$"), "NltestTrustEnum",
    if(EventCode = "1" and matches(Image, "(?i).*\\netdom\.exe$"), "NetdomTrustEnum",
    if(EventCode = "1" and matches(Image, "(?i).*\\(powershell|pwsh)\.exe$"), "PowerShellADTrustEnum",
    if(EventCode = "1" and matches(Image, "(?i).*\\net\.exe$"), "NetViewDomainEnum",
    if(EventCode = "1" and matches(Image, "(?i).*\\dsquery\.exe$"), "DsqueryTrustEnum",
    if(EventCode = "4662", "LDAPTrustedDomainAccess", "Unknown"))))))
| eval EffectiveActor = if(!isNull(Actor) and Actor != "", Actor, SubjectUser)
| eval TargetObject = if(EventCode = "1", CommandLine, ObjectName)
| fields _messageTime, Computer, EffectiveActor, Image, TargetObject, ParentImage, DetectionType
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Windows Sysmon (via Sumo Logic Windows Agent) Windows Security Event Log Sumo Logic Installed Collector on domain controllers

Required Tables

windows* source category with Sysmon and Security channels

False Positives

Enterprise monitoring products (Nagios, SCOM, Datadog Agent) running AD health checks that include trust status queries
Privileged Access Management (PAM) solutions enumerating forest trusts during session brokering for cross-domain access
Active Directory documentation and auditing tools run by identity governance teams during quarterly access reviews

Google Chronicle / SecOps

yaral

rule t1590_003_network_trust_dependency_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects enumeration of Active Directory trust relationships via process execution or LDAP directory access. Covers nltest.exe, netdom.exe, PowerShell AD cmdlets, dsquery.exe, and Event ID 4662 trustedDomain object access (T1590.003)."
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.003"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    (
      // Branch 1a: nltest.exe with trust enumeration arguments
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\nltest\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)/domain_trusts`) or
          re.regex($e.target.process.command_line, `(?i)/all_trusts`) or
          re.regex($e.target.process.command_line, `(?i)/trusted_domains`) or
          re.regex($e.target.process.command_line, `(?i)/dclist`) or
          re.regex($e.target.process.command_line, `(?i)/parentdomain`) or
          re.regex($e.target.process.command_line, `(?i)/dsgetsite`)
        )
      )
      or
      // Branch 1b: netdom.exe trust operations
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\netdom\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)(trust|query|enumerate_principals)`)
        )
      )
      or
      // Branch 1c: PowerShell AD trust cmdlets
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)(Get-ADTrust|Get-ADForest|Get-ADDomain)`) or
          re.regex($e.target.process.command_line, `(?i)(trustedDomain|trustDirection|trustAttributes)`) or
          re.regex($e.target.process.command_line, `(?i)(DsEnumerateDomainTrusts|NetEnumerateTrustedDomains)`)
        )
      )
      or
      // Branch 1d: dsquery.exe targeting trust objects
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)\\dsquery\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(trustedDomain|trust)`)
      )
      or
      // Branch 2: LDAP directory access to trustedDomain objects (Event ID 4662)
      (
        $e.metadata.event_type = "USER_RESOURCE_ACCESS"
        and $e.metadata.product_event_type = "4662"
        and (
          re.regex($e.target.resource.name, `(?i)(trustedDomain|domainDNS)`)
        )
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Windows Event Logs ingested into Chronicle via Chronicle Forwarder or BindPlane Google Chronicle UDM normalized events Microsoft Windows Sysmon forwarded to Chronicle

Required Tables

UDM events with metadata.event_type PROCESS_LAUNCH and USER_RESOURCE_ACCESS

False Positives

Microsoft Identity Manager (MIM) or Entra Connect sync agents enumerating AD trusts during synchronization cycles
Red team or penetration testing exercises authorized by the security team using standard AD enumeration tooling
Automated onboarding scripts for new domain-joined servers that query trust topology to configure Kerberos delegation settings

CrowdStrike LogScale (CQL)

cql

// Branch 1: Process-based trust enumeration via Falcon sensor telemetry
#event_simpleName = ProcessRollup2
| FileName = /(?i)(nltest|netdom|powershell|pwsh|dsquery|net)\.exe$/
| case {
    FileName = /(?i)nltest\.exe$/ AND CommandLine = /(?i)(/domain_trusts|/all_trusts|/trusted_domains|/dclist|/parentdomain|/dsgetsite)/ | DetectionType := "NltestTrustEnum";
    FileName = /(?i)netdom\.exe$/ AND CommandLine = /(?i)(trust|query|enumerate_principals)/ | DetectionType := "NetdomTrustEnum";
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ADTrust|Get-ADForest|Get-ADDomain|trustedDomain|trustDirection|trustAttributes|DsEnumerateDomainTrusts|NetEnumerateTrustedDomains)/ | DetectionType := "PowerShellADTrustEnum";
    FileName = /(?i)dsquery\.exe$/ AND CommandLine = /(?i)(trustedDomain|trust)/ | DetectionType := "DsqueryTrustEnum";
    FileName = /(?i)net\.exe$/ AND CommandLine = /(?i)/domain/ | DetectionType := "NetViewDomainEnum";
    * | DetectionType := null()
  }
| DetectionType != null()
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType])
| sort(timestamp, order=desc)

// Union Branch 2: DNS-based trust discovery (supplemental — Falcon DNS events)
// Uncomment and run separately if needed:
// #event_simpleName = DnsRequest
// | DomainName = /(?i)(\._msdcs\.|trusteddomain|forestdnszones)/
// | table([timestamp, ComputerName, UserName, DomainName, RequestType])
// | sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Sensor (EDR telemetry) Falcon Data Replicator (FDR) ProcessRollup2 events Falcon DnsRequest events for DNS branch

Required Tables

ProcessRollup2 DnsRequest (supplemental)

False Positives

CrowdStrike Falcon sensor itself or other endpoint security products performing AD topology discovery for sensor deployment scoping
SIEM and SOAR platforms ingesting AD trust data for enrichment pipelines or automated incident response playbooks
Group Policy management tools (GPMC, PolicyPak) enumerating cross-domain trusts to validate GPO scope and link order across forest boundaries

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain Properties T1590.002DNS T1590.004Network Topology T1590.005IP Addresses T1590.006Network Security Appliances

Network Trust Dependencies

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections