T1482: Domain Trust Discovery
| View on MITRE ATT&CK | T1482 |
|---|---|
| Tactic(s) | Discovery |
Data from MITRE ATT&CK®:
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)OS API Execution (Process)
Operating system function/method calls executed by a processScript Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Adfind - Enumerate Active Directory Trusts
Get-DomainTrust with PowerView
Adfind - Enumerate Active Directory OUs
Windows - Discover domain trusts with nltest
Powershell enumerate domains and forests
Get-ForestTrust with PowerView
TruffleSnout - Listing AD Infrastructure
Windows - Discover domain trusts with dsquery
Sigma Detections for this Technique
Malicious PowerShell Commandlets - PoshModule
HackTool - SharpView Execution
Renamed AdFind Execution
DNS Server Discovery Via LDAP Query
PUA - AdFind Suspicious Execution
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Potential Recon Activity Via Nltest.EXE
BloodHound Collection Files
HackTool - Bloodhound/Sharphound Execution
HackTool - TruffleSnout Execution
Malicious PowerShell Commandlets - ProcessCreation
Malicious PowerShell Commandlets - ScriptBlock
Nltest.EXE Execution
Domain Trust Discovery Via Dsquery
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.