Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]

ID: T1482
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Windows
Permissions Required: User
Data Sources: API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Contributors: Dave Westgard; Elia Florio, Microsoft; Mnemonic; RedHuntLabs, @redhuntlabs
Version: 1.1
Created: 14 February 2019
Last Modified: 26 March 2020

Procedure Examples

Name Description
dsquery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]

Empire

Empire has modules for enumerating domain trusts.[9]

Nltest

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[5][6]

PoshC2

PoshC2 has modules for enumerating domain trusts.[10]

PowerSploit

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[7][8]

TrickBot

TrickBot can gather information about domain trusts by utilizing Nltest.[6]

Wizard Spider

Wizard Spider has used AdFind.exe to collect information about Active Directory organizational units and trust objects.[11]

Mitigations

Mitigation Description
Audit

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

Network Segmentation

Employ network segmentation for sensitive domains.[3].

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[3] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[12]

References