Enumerating Domain Trusts via DSQUERY.EXE
Adversaries may use dsquery.exe to enumerate domain trusts, which can be leveraged for lateral movement in Windows multi-domain environments.
The dsquery.exe is a command-line tool used in Windows environments to query Active Directory. While legitimate uses exist, adversaries can use it to enumerate domain trusts within a multi-domain forest. By identifying trust relationships, attackers gain insights into potential lateral movement paths. This activity, while not inherently malicious, serves as a reconnaissance step that could precede more harmful actions, so its detection is crucial for early threat mitigation. This technique can be used to gain knowledge about the target environment, allowing the attacker to make informed decisions about further actions. The rule detects the execution of dsquery.exe with specific arguments related to discovering domain trusts. The Elastic rule ID is 06a7a03c-c735-47a6-a313-51c354aef6c3, updated on 2026/04/07.
Attack Chain
- Initial Access: Adversary gains initial access to a system within the target network.
- Credential Access: The attacker may use credential harvesting tools to obtain valid credentials.
- Discovery: The adversary executes
dsquery.exewith the argumentobjectClass=trustedDomainto enumerate domain trusts. - Lateral Movement: Based on the discovered trust relationships, the adversary attempts to move laterally to other systems or domains.
- Privilege Escalation: The adversary escalates privileges on the target system.
- Data Exfiltration: The adversary exfiltrates sensitive data from compromised systems.
Impact
Successful enumeration of domain trusts can lead to lateral movement across the network, potentially compromising multiple systems and domains. This can result in data breaches, system disruption, and financial losses. While the enumeration itself is not directly damaging, it provides crucial information for attackers to plan and execute further malicious activities. The impact is elevated when combined with stolen credentials or unpatched vulnerabilities.
Recommendation
- Deploy the Sigma rule "Detect Domain Trust Discovery via DSQUERY" to your SIEM and tune for your environment to detect the execution of
dsquery.exewith arguments used for domain trust discovery. - Enable Sysmon process-creation logging to activate the rules above.
- Review process execution logs for instances of
dsquery.exewith theobjectClass=trustedDomainargument, as highlighted in the rule. - Monitor network connections originating from systems where
dsquery.exewas executed, looking for suspicious lateral movement activity.
Detection coverage 2
Detect Domain Trust Discovery via DSQUERY
lowDetects the execution of dsquery.exe with arguments used for domain trust discovery.
Detect Domain Trust Discovery via DSQUERY (Sysmon)
lowDetects the execution of dsquery.exe with arguments used for domain trust discovery via Sysmon.
Detection queries are available on the platform. Get full rules →