T1590.003 IBM QRadar · QRadar

Detect Network Trust Dependencies in IBM QRadar

Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. This includes identifying second or third-party organizations such as managed service providers (MSPs), contractors, and partner organizations that have privileged or elevated network access to the target environment. Adversaries gather this information through direct elicitation (spear phishing for information), public sources (LinkedIn, company websites, job postings revealing MSP/vendor relationships), WHOIS/DNS records, and Active Directory trust enumeration once they have initial internal access. Internally, this manifests as enumeration of Active Directory domain and forest trusts using built-in tools (nltest.exe, netdom.exe), PowerShell AD cmdlets (Get-ADTrust, Get-ADForest), or LDAP queries targeting trustedDomain objects. Externally, adversaries may discover trust relationships from public BGP routing data, certificate transparency logs, or OSINT tools targeting organizational infrastructure. The intelligence gathered enables attacks via trusted third-party relationships (T1199), supply chain compromise (T1195), or credential abuse against MSP-managed accounts.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.003 Network Trust Dependencies
Canonical reference
https://attack.mitre.org/techniques/T1590/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "QIDNAME"(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "filename",
  "commandline",
  "parentprocessname",
  CASE
    WHEN LOWER("filename") LIKE '%nltest.exe%'
      AND (LOWER("commandline") LIKE '%/domain_trusts%'
           OR LOWER("commandline") LIKE '%/all_trusts%'
           OR LOWER("commandline") LIKE '%/trusted_domains%'
           OR LOWER("commandline") LIKE '%/dclist%'
           OR LOWER("commandline") LIKE '%/parentdomain%')
      THEN 'NltestTrustEnum'
    WHEN LOWER("filename") LIKE '%netdom.exe%'
      AND (LOWER("commandline") LIKE '%trust%'
           OR LOWER("commandline") LIKE '%query%'
           OR LOWER("commandline") LIKE '%enumerate_principals%')
      THEN 'NetdomTrustEnum'
    WHEN (LOWER("filename") LIKE '%powershell.exe%' OR LOWER("filename") LIKE '%pwsh.exe%')
      AND (LOWER("commandline") LIKE '%get-adtrust%'
           OR LOWER("commandline") LIKE '%get-adforest%'
           OR LOWER("commandline") LIKE '%get-addomain%'
           OR LOWER("commandline") LIKE '%trustedDomain%'
           OR LOWER("commandline") LIKE '%trustdirection%'
           OR LOWER("commandline") LIKE '%dsenumeratedomaintrusts%')
      THEN 'PowerShellADTrustEnum'
    WHEN LOWER("filename") LIKE '%net.exe%'
      AND LOWER("commandline") LIKE '%/domain%'
      THEN 'NetViewDomainEnum'
    WHEN LOWER("filename") LIKE '%dsquery.exe%'
      AND (LOWER("commandline") LIKE '%trusteddomain%'
           OR LOWER("commandline") LIKE '%trust%')
      THEN 'DsqueryTrustEnum'
    WHEN "EventID" = '4662'
      AND (LOWER("ObjectType") LIKE '%trusteddomain%'
           OR LOWER("ObjectType") LIKE '%domaindns%')
      THEN 'LDAPTrustedDomainAccess'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)  -- Windows Security, Sysmon, Windows Application, System
  AND starttime > NOW() - 86400 SECONDS
  AND (
    ("EventID" IN ('1', '4688') AND (
      (LOWER("filename") LIKE '%nltest.exe%' AND (
        LOWER("commandline") LIKE '%/domain_trusts%'
        OR LOWER("commandline") LIKE '%/all_trusts%'
        OR LOWER("commandline") LIKE '%/trusted_domains%'
        OR LOWER("commandline") LIKE '%/dclist%'
        OR LOWER("commandline") LIKE '%/parentdomain%'
      ))
      OR (LOWER("filename") LIKE '%netdom.exe%' AND (
        LOWER("commandline") LIKE '%trust%'
        OR LOWER("commandline") LIKE '%query%'
      ))
      OR ((LOWER("filename") LIKE '%powershell.exe%' OR LOWER("filename") LIKE '%pwsh.exe%') AND (
        LOWER("commandline") LIKE '%get-adtrust%'
        OR LOWER("commandline") LIKE '%get-adforest%'
        OR LOWER("commandline") LIKE '%trustedDomain%'
        OR LOWER("commandline") LIKE '%dsenumeratedomaintrusts%'
      ))
      OR (LOWER("filename") LIKE '%dsquery.exe%' AND LOWER("commandline") LIKE '%trusteddomain%')
    ))
    OR ("EventID" = '4662' AND (
      LOWER("ObjectType") LIKE '%trusteddomain%'
      OR LOWER("ObjectType") LIKE '%domaindns%'
    ) AND "AccessMask" IN ('0x100', '0x20000', '0x1'))
  )
ORDER BY starttime DESC
medium severity medium confidence

AQL detection for AD trust enumeration via suspicious process executions (nltest, netdom, PowerShell AD cmdlets, dsquery) and LDAP directory access to trustedDomain objects. Correlates Sysmon Event ID 1, Windows Security Event ID 4688, and 4662 across QRadar log sources.

Data Sources

Windows Security Event Log (WinCollect or DSM)Microsoft Sysmon via WinCollectWindows Event Log DSM

Required Tables

events

False Positives & Tuning

  • Domain admin helpdesk tooling querying trust relationships for support tickets or user access troubleshooting
  • Centralized IAM platforms (SailPoint, CyberArk) performing periodic AD forest discovery to update access model
  • Backup and DR tools enumerating domain topology for cross-domain restore operations
Download portable Sigma rule (.yml)

Other platforms for T1590.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Domain Trusts via nltest.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine='/domain_trusts /all_trusts'. Security Event ID 4688 (with command line auditing): same command line data. Parent process will be cmd.exe or powershell.exe depending on execution context.

  2. Test 2Enumerate Active Directory Trusts via PowerShell Get-ADTrust

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with full script content including trust properties being queried. LDAP query to Domain Controller on port 389 for trustedDomain objects (visible in Sysmon Event ID 3 if DC is remote).

  3. Test 3Query AD Forest Trust Information via PowerShell Get-ADForest

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADForest'. PowerShell ScriptBlock Log Event ID 4104 with the full script. Directory access Event ID 4662 on Domain Controllers for crossRefContainer and crossRef object reads. Sysmon Event ID 3 for LDAP connection to DC on port 389.

  4. Test 4Enumerate Domain Trusts via netdom.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netdom.exe, CommandLine containing 'query' and 'trust'. Security Event ID 4688 (with command line auditing) recording the full command line. The tool will contact the nearest Domain Controller to resolve trust information.

  5. Test 5LDAP Query for trustedDomain Objects via dsquery

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\dsquery.exe, CommandLine containing 'trustedDomain'. On the Domain Controller: Security Event ID 4662 with ObjectType=trustedDomain for each trust object read. Multiple 4662 events will fire — one per trusted domain object in the directory.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1590.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.002DNST1199Trusted RelationshipT1482Domain Trust DiscoveryT1069Permission Groups DiscoveryT1087.002Domain AccountT1195Supply Chain CompromiseT1078.002Domain AccountsT1596Search Open Technical DatabasesT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections