Find sigma rule

Attack: Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

MITRE

Tactic

discovery

technique

T1482

Test : Windows - Discover domain trusts with dsquery

OS

windows

Description:

Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.

Executor

command_prompt

Sigma Rule

proc_creation_win_dsquery_domain_trust_discovery.yml (id: 3bad990e-4848-4a78-9530-b427d854aac0)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test