title: Network Trust Dependencies (T1590.003)
id: df00tech-t1590-003
status: experimental
description: "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. This includes identifying second or third-party organizations such as managed service providers (MSPs), contractors, and partner organizations that have privileged or elevated network access to the target environment. Adversaries gather this information through direct elicitation (spear phishing for information), public sources (LinkedIn, company websites, job postings revealing MSP/vendor relationships), WHOIS/DNS records, and Active Directory trust enumeration once they have initial internal access. Internally, this manifests as enumeration of Active Directory domain and forest trusts using built-in tools (nltest.exe, netdom.exe), PowerShell AD cmdlets (Get-ADTrust, Get-ADForest), or LDAP queries targeting trustedDomain objects. Externally, adversaries may discover trust relationships from public BGP routing data, certificate transparency logs, or OSINT tools targeting organizational infrastructure. The intelligence gathered enables attacks via trusted third-party relationships (T1199), supply chain compromise (T1195), or credential abuse against MSP-managed accounts."
references:
  - https://attack.mitre.org/techniques/T1590/003/
  - https://df00tech.com/detections/T1590.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1590.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Domain administrators legitimately running nltest.exe /domain_trusts during infrastructure audits or troubleshooting inter-domain authentication issues
  - Automated monitoring scripts using Get-ADTrust or Get-ADForest to verify trust health and alert on unexpected trust additions
  - "Identity governance tools (SailPoint, Saviynt, CyberArk) that enumerate domain trusts during discovery scans"
  - Microsoft Entra Connect (Azure AD Connect) synchronization service regularly querying forest/domain trust topology
  - IT helpdesk staff troubleshooting cross-domain resource access using netdom.exe or nltest.exe
  - "Security posture assessment tools (Bloodhound Enterprise, Purple Knight) authorized to enumerate AD trust relationships"
level: medium