Domain Trust Discovery

Detect commands used to enumerate a list of trusted domains.

id:bccb1c48-305c-4b1f-affb-a7a50bf4654b categories:enrich confidence:low os:windows created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Discovery techniques:T1482 Domain Trust Discovery

Query

process where subtype.create and (
  (process_name == "dsquery.exe") and command_line == "*(objectClass=trustedDomain)*" or
  (process_name == "nltest.exe") and command_line == "*domain_trusts*"
)

Contributors

• Endgame