Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]

ID: T1482

Tactic: Discovery

Platform:  Windows

Permissions Required:  User

Data Sources:  PowerShell logs, API monitoring, Process command-line parameters, Process monitoring

Contributors:  Dave Westgard; Elia Florio, Microsoft; Mnemonic; RedHuntLabs (@redhuntlabs)

Version: 1.0

Examples

NameDescription
dsquery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]

Empire

Empire has modules for enumerating domain trusts.[5]

Nltest

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[6][7]

PoshC2

PoshC2 has modules for enumerating domain trusts.[8]

PowerSploit

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[9][10]

TrickBot

TrickBot can gather information about domain trusts by utilizing Nltest.[7]

Mitigation

Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.[3]

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[3] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[11]

References