Detect Network Trust Dependencies in Sumo Logic CSE
Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. This includes identifying second or third-party organizations such as managed service providers (MSPs), contractors, and partner organizations that have privileged or elevated network access to the target environment. Adversaries gather this information through direct elicitation (spear phishing for information), public sources (LinkedIn, company websites, job postings revealing MSP/vendor relationships), WHOIS/DNS records, and Active Directory trust enumeration once they have initial internal access. Internally, this manifests as enumeration of Active Directory domain and forest trusts using built-in tools (nltest.exe, netdom.exe), PowerShell AD cmdlets (Get-ADTrust, Get-ADForest), or LDAP queries targeting trustedDomain objects. Externally, adversaries may discover trust relationships from public BGP routing data, certificate transparency logs, or OSINT tools targeting organizational infrastructure. The intelligence gathered enables attacks via trusted third-party relationships (T1199), supply chain compromise (T1195), or credential abuse against MSP-managed accounts.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.003 Network Trust Dependencies
- Canonical reference
- https://attack.mitre.org/techniques/T1590/003/
Sumo Detection Query
_sourceCategory=windows* ("nltest.exe" OR "netdom.exe" OR "powershell.exe" OR "pwsh.exe" OR "dsquery.exe" OR "net.exe" OR EventCode=4662)
| parse field=_raw "<EventID>*</EventID>" as EventCode nodrop
| parse field=_raw "<Image>*</Image>" as Image nodrop
| parse field=_raw "<CommandLine>*</CommandLine>" as CommandLine nodrop
| parse field=_raw "<ParentImage>*</ParentImage>" as ParentImage nodrop
| parse field=_raw "<User>*</User>" as Actor nodrop
| parse field=_raw "<SubjectUserName>*</SubjectUserName>" as SubjectUser nodrop
| parse field=_raw "<ObjectType>*</ObjectType>" as ObjectType nodrop
| parse field=_raw "<ObjectName>*</ObjectName>" as ObjectName nodrop
| parse field=_raw "<AccessMask>*</AccessMask>" as AccessMask nodrop
| parse field=_raw "<Computer>*</Computer>" as Computer nodrop
| where (
(EventCode = "1" and (
(matches(Image, "(?i).*\\nltest\.exe$") and matches(CommandLine, "(?i)(/domain_trusts|/all_trusts|/trusted_domains|/dclist|/parentdomain|/dsgetsite)"))
or (matches(Image, "(?i).*\\netdom\.exe$") and matches(CommandLine, "(?i)(trust|query|enumerate_principals)"))
or (matches(Image, "(?i).*\\(powershell|pwsh)\.exe$") and matches(CommandLine, "(?i)(Get-ADTrust|Get-ADForest|Get-ADDomain|trustedDomain|trustDirection|trustAttributes|DsEnumerateDomainTrusts|NetEnumerateTrustedDomains)"))
or (matches(Image, "(?i).*\\net\.exe$") and matches(CommandLine, "(?i)/domain"))
or (matches(Image, "(?i).*\\dsquery\.exe$") and matches(CommandLine, "(?i)(trustedDomain|trust)"))
))
or (EventCode = "4662" and matches(ObjectType, "(?i)(trustedDomain|domainDNS)") and AccessMask in ("0x100", "0x20000", "0x1"))
)
| eval DetectionType = if(EventCode = "1" and matches(Image, "(?i).*\\nltest\.exe$"), "NltestTrustEnum",
if(EventCode = "1" and matches(Image, "(?i).*\\netdom\.exe$"), "NetdomTrustEnum",
if(EventCode = "1" and matches(Image, "(?i).*\\(powershell|pwsh)\.exe$"), "PowerShellADTrustEnum",
if(EventCode = "1" and matches(Image, "(?i).*\\net\.exe$"), "NetViewDomainEnum",
if(EventCode = "1" and matches(Image, "(?i).*\\dsquery\.exe$"), "DsqueryTrustEnum",
if(EventCode = "4662", "LDAPTrustedDomainAccess", "Unknown"))))))
| eval EffectiveActor = if(!isNull(Actor) and Actor != "", Actor, SubjectUser)
| eval TargetObject = if(EventCode = "1", CommandLine, ObjectName)
| fields _messageTime, Computer, EffectiveActor, Image, TargetObject, ParentImage, DetectionType
| sort by _messageTime descSumo Logic detection for AD network trust dependency enumeration. Parses Sysmon Event ID 1 and Windows Security Event ID 4662 to identify trust enumeration tools (nltest, netdom, PowerShell AD module, dsquery) and LDAP reads against trustedDomain objects.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise monitoring products (Nagios, SCOM, Datadog Agent) running AD health checks that include trust status queries
- Privileged Access Management (PAM) solutions enumerating forest trusts during session brokering for cross-domain access
- Active Directory documentation and auditing tools run by identity governance teams during quarterly access reviews
Other platforms for T1590.003
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Domain Trusts via nltest.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\nltest.exe, CommandLine='/domain_trusts /all_trusts'. Security Event ID 4688 (with command line auditing): same command line data. Parent process will be cmd.exe or powershell.exe depending on execution context.
- Test 2Enumerate Active Directory Trusts via PowerShell Get-ADTrust
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADTrust'. PowerShell ScriptBlock Log Event ID 4104 with full script content including trust properties being queried. LDAP query to Domain Controller on port 389 for trustedDomain objects (visible in Sysmon Event ID 3 if DC is remote).
- Test 3Query AD Forest Trust Information via PowerShell Get-ADForest
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-ADForest'. PowerShell ScriptBlock Log Event ID 4104 with the full script. Directory access Event ID 4662 on Domain Controllers for crossRefContainer and crossRef object reads. Sysmon Event ID 3 for LDAP connection to DC on port 389.
- Test 4Enumerate Domain Trusts via netdom.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netdom.exe, CommandLine containing 'query' and 'trust'. Security Event ID 4688 (with command line auditing) recording the full command line. The tool will contact the nearest Domain Controller to resolve trust information.
- Test 5LDAP Query for trustedDomain Objects via dsquery
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\dsquery.exe, CommandLine containing 'trustedDomain'. On the Domain Controller: Security Event ID 4662 with ObjectType=trustedDomain for each trust object read. Multiple 4662 events will fire — one per trusted domain object in the directory.
References (10)
- https://attack.mitre.org/techniques/T1590/003/
- https://attack.mitre.org/techniques/T1482/
- https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/forest-design-models
- https://learn.microsoft.com/en-us/defender-for-identity/lateral-movement-alerts
- https://github.com/BloodHoundAD/BloodHound
- https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731320(v=ws.11)
- https://specterops.io/wp-content/uploads/sites/3/2022/06/an_ace_up_the_sleeve.pdf
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
Unlock Pro Content
Get the full detection package for T1590.003 including response playbook, investigation guide, and atomic red team tests.