ATT&CK coverage › Technique

Domain Trust Discovery `T1482`

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

Events covered

10 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	3	Network connection
Sysmon	11	FileCreate
Sysmon	22	DNSEvent (DNS query)
Security-Auditing	4662	An operation was performed on an object.
Security-Auditing	4688	A new process has been created.
Defender-DeviceProcessEvents	9001000	Process activity (any)
LDAP-Client	30
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 26 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (20 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	12	`ends_with` 11, `match` 2, `eq` 1, `is_null` 1, `starts_with` 1	`\ADExplorer64.exe`, `\ADExp.exe`, `\ADExplorer64a.exe`, `\nltest.exe`, `\svchost.exe`
`CommandLine`	10	`match` 10	`snapshot`, `users_noexpire`, `-subnets -f`, `domainlist`, `args`
`OriginalFileName`	8	`eq` 8	`AdExp`, `nltestrk.exe`, `dsquery.exe`, `SharpView.exe`, `TruffleSnout.exe`
`Product`	3	`eq` 2, `match` 1	`Sysinternals ADExplorer`, `SharpHound`
`Description`	3	`eq` 2, `match` 1	`Active Directory Editor`, `SharpHound`
`ScriptBlockText`	3	`eq` 2, `match` 1	`Invoke-SauronEye`, `Get-FoxDump`, `Invoke-KrbRelay`, `"get-domaintrust"`, `"get-foresttrust"`
`TargetFilename`	2	`ends_with` 2, `starts_with` 1	`.dat`, `_computers.json`, `_ous.json`, `C:\Program Files\WindowsApps\Microsoft.`
`file_name`	2	`in` 2	`"-azapplicationadmins.json"`, `"-azcloudappadmins.json"`, `"-azurecollection.zip"`, `"_groups.json"`, `"*_users.json"`
`EventID`	2	`eq` 2	`4104`
`AccessMaskDescription`	1	`eq` 1	`Read Property`
`FileName`	1	`eq` 1	`AdFind.exe`
`SHA256`	1	`eq` 1	`c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3`
`InitiatingProcessFileName`	1	`eq` 1	`parentProcesses`
`QueryName`	1	`starts_with` 1	`_ldap.`
`Company`	1	`match` 1	`evil corp`, `SpecterOps`

Top indicator values (824 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`Image`	`ends_with`	`\ADExp.exe`	3	3
`Image`	`ends_with`	`\ADExplorer64.exe`	3	6
`Image`	`ends_with`	`\ADExplorer.exe`	3	6
`Image`	`ends_with`	`\ADExplorer64a.exe`	3	4
`Product`	`eq`	`Sysinternals ADExplorer`	2	2
`OriginalFileName`	`eq`	`AdExp`	2	2
`CommandLine`	`match`	`snapshot`	2	3
`Description`	`eq`	`Active Directory Editor`	2	2
`CommandLine`	`match`	`Invoke-ACLScanner`	2	2
`CommandLine`	`match`	`Find-GPOLocation`	2	2
`OriginalFileName`	`eq`	`nltestrk.exe`	2	2
`Image`	`ends_with`	`\nltest.exe`	2	9
`CommandLine`	`match`	`name="Domain Admins"`	2	2
`CommandLine`	`match`	`computer_pwdnotreqd`	2	2
`CommandLine`	`match`	`domainncs`	2	2
`CommandLine`	`match`	`dcmodes`	2	2
`CommandLine`	`match`	`-subnets -f`	2	2
`CommandLine`	`match`	`computers_pwdnotreqd`	2	2
`CommandLine`	`match`	`adinfo`	2	2
`CommandLine`	`match`	`dompol`	2	2

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`SubjectUserSid`	`eq`	`S-1-5-18`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 17 rules

Active Directory Database Snapshot Via ADExplorer severity medium, 1 event, 8 indicators, 0 exclusions
ADExplorer Writing Complete AD Snapshot Into .dat File severity medium, 1 event, 5 indicators, 0 exclusions
BloodHound Collection Files severity high, 1 event, 10 indicators, 0 exclusions
DNS Server Discovery Via LDAP Query severity low, 1 event, 11 indicators, 0 exclusions
Domain Trust Discovery Via Dsquery severity medium, 1 event, 3 indicators, 0 exclusions
HackTool - Bloodhound/Sharphound Execution severity high, 1 event, 17 indicators, 0 exclusions
HackTool - SharpView Execution severity high, 1 event, 84 indicators, 0 exclusions
HackTool - TruffleSnout Execution severity high, 1 event, 2 indicators, 0 exclusions
Malicious PowerShell Commandlets - PoshModule severity high, 1 event, 195 indicators, 0 exclusions
Malicious PowerShell Commandlets - ProcessCreation severity high, 2 events, 194 indicators, 0 exclusions
Malicious PowerShell Commandlets - ScriptBlock severity high, 1 event, 181 indicators, 0 exclusions
Nltest.EXE Execution severity low, 1 event, 2 indicators, 0 exclusions
Potential Active Directory Reconnaissance/Enumeration Via LDAP severity medium, 1 event, 52 indicators, 0 exclusions
Potential Recon Activity Via Nltest.EXE severity medium, 1 event, 12 indicators, 0 exclusions
PUA - AdFind Suspicious Execution severity high, 2 events, 19 indicators, 0 exclusions
Renamed AdFind Execution severity high, 1 event, 29 indicators, 0 exclusions
Suspicious Active Directory Database Snapshot Via ADExplorer severity high, 1 event, 12 indicators, 0 exclusions

Elastic 1 rule

Suspicious Access to LDAP Attributes 1 event, 1 indicator, 1 exclusion

Splunk 5 rules

Detect AzureHound File Modifications 1 event, 5 indicators, 0 exclusions
Detect SharpHound File Modifications 1 event, 8 indicators, 0 exclusions
Get-DomainTrust with PowerShell Script Block 1 event, 2 indicators, 0 exclusions
Get-ForestTrust with PowerShell Script Block 1 event, 2 indicators, 0 exclusions
Network Traffic to Active Directory Web Services Protocol 1 event, 1 indicator, 0 exclusions

Kusto Query Language 3 rules

Dev-0270 WMIC Discovery 1 event, 0 indicators, 0 exclusions
Powershell Empire Cmdlets Executed in Command Line 1 event, 0 indicators, 0 exclusions
Probable AdFind Recon Tool Usage 3 events, 4 indicators, 0 exclusions

Domain Trust Discovery T1482