Domain Trust Discovery via Nltest.exe¶
Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
| id: | 03e231a6-74bc-467a-acb1-e5676b0fb55e |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 05/17/2019 |
| updated: | 05/17/2019 |
Query¶
process where subtype.create and
process_name == "nltest.exe" and command_line == "*domain_trusts*"