Adversary uses nltest, PowerShell, or Win32/.NET API to enumerate domain trust relationships (via DSEnumerateDomainTrusts, GetAllTrustRelationships, or LDAP queries), followed by discovery or authentication staging.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Command Execution (DC0064) | WinEventLog:PowerShell | Get-ADTrust|GetAllTrustRelationships |
| Active Directory Object Access (DC0071) | WinEventLog:Security | EventCode=4662 |
| Field | Description |
|---|---|
| ParentImage | Tune based on expected script hosts or authorized administrators invoking trust enumeration. |
| TimeWindow | Correlate enumeration + subsequent Kerberos activity or DC interaction within a bounded window. |
| UserContext | Prioritize detection for non-admin or unexpected user accounts performing enumeration. |
| API_Name | Flag uncommon or low-prevalence API calls like DSEnumerateDomainTrusts for inspection. |