JUST RELEASED: ATT&CK for Industrial Control Systems

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]

ID: T1482
Tactic: Discovery
Platform: Windows
Permissions Required: User
Data Sources: PowerShell logs, API monitoring, Process command-line parameters, Process monitoring
Contributors: Dave Westgard; Elia Florio, Microsoft; Mnemonic; RedHuntLabs (@redhuntlabs)
Version: 1.0
Created: 14 February 2019
Last Modified: 17 July 2019

Procedure Examples

Name Description
dsquery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]

Empire

Empire has modules for enumerating domain trusts.[9]

Nltest

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[5][6]

PoshC2

PoshC2 has modules for enumerating domain trusts.[10]

PowerSploit

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[7][8]

TrickBot

TrickBot can gather information about domain trusts by utilizing Nltest.[6]

Mitigations

Mitigation Description
Audit

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

Network Segmentation

Employ network segmentation for sensitive domains..[3]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[3] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[11]

References