Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]

ID: T1482
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: Windows
Permissions Required: User
Data Sources: API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Contributors: Dave Westgard; Elia Florio, Microsoft; Mnemonic; RedHuntLabs, @redhuntlabs
Version: 1.1
Created: 14 February 2019
Last Modified: 17 September 2020

Procedure Examples

Name Description
AdFind

AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.[5][6][7]

BloodHound

BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[8]

dsquery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]

Empire

Empire has modules for enumerating domain trusts.[9]

Nltest

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[10][11]

PoshC2

PoshC2 has modules for enumerating domain trusts.[12]

PowerSploit

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[13][14]

TrickBot

TrickBot can gather information about domain trusts by utilizing Nltest.[11][15]

UNC2452

UNC2452 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[16] They also used AdFind to enumerate domains and to discover trust between federated domains.[17]

Wizard Spider

Wizard Spider has used AdFind.exe to collect information about Active Directory organizational units and trust objects.[7]

Mitigations

Mitigation Description
Audit

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

Network Segmentation

Employ network segmentation for sensitive domains.[3].

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[3] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[18]

References