title: Domain Trust Discovery (T1482)
id: df00tech-t1482
status: experimental
description: "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Adversaries use utilities like nltest.exe, AdFind, PowerShell .NET methods (Get-ADTrust, GetAllTrustRelationships), LDAP queries, and tools like Rubeus to enumerate bidirectional, one-way, forest, and external trusts. This information facilitates SID-History Injection, Pass the Ticket, Kerberoasting, and lateral movement across trust boundaries. Widely observed in ransomware pre-encryption reconnaissance by groups including BlackByte, Akira, QakBot, IcedID, and Chimera."
references:
  - https://attack.mitre.org/techniques/T1482/
  - https://df00tech.com/detections/T1482
author: df00tech
date: 2026/04/19
tags:
  - attack.t1482
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Domain administrators running nltest /domain_trusts as part of AD health checks or troubleshooting connectivity between trusted domains
  - "IT infrastructure monitoring tools (SolarWinds, ManageEngine AD Manager) that enumerate trust relationships for topology mapping and alerting"
  - Scripted onboarding or provisioning automation that calls Get-ADTrust to validate forest membership before deploying resources
  - Penetration testing or red team exercises with pre-approved scope documents — verify against change management records
  - SIEM/SOAR playbooks that enumerate domain trusts to populate CMDB or enrich security incidents
level: medium