{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-nt-domain/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows NT Domain"],"_cs_severities":["low"],"_cs_tags":["discovery","domain trust","lateral movement","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility is a command-line tool used to manage and troubleshoot Windows NT domains. While legitimate domain administrators may use this utility for information gathering, adversaries can also abuse it to enumerate domain trusts and gain insight into trust relationships, which exposes the state of Domain Controller (DC) replication within a Windows NT Domain. This activity is more suspicious in environments with Windows Server 2012 and newer, where its usage is less common for legitimate purposes. Attackers can leverage this information to facilitate lateral movement and other malicious activities within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enltest.exe\u003c/code\u003e with specific arguments such as \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/DCLIST:*\u003c/code\u003e, \u003ccode\u003e/DCNAME:*\u003c/code\u003e, \u003ccode\u003e/DSGET*\u003c/code\u003e, \u003ccode\u003e/LSAQUERYFTI:*\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, or \u003ccode\u003e/BDC_QUERY:*\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility queries the Active Directory to gather information about domain trusts, domain controllers, and other domain-related information.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003enltest.exe\u003c/code\u003e to identify trust relationships, domain controllers, and other relevant information about the domain infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to map out potential lateral movement paths within the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered trust relationships to authenticate to other domains or resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems or domains, leveraging the discovered trust relationships and compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence and continues to perform malicious activities, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts via \u003ccode\u003enltest.exe\u003c/code\u003e can provide attackers with valuable information to facilitate lateral movement and escalate privileges within a Windows NT Domain. This can lead to the compromise of sensitive data, disruption of critical services, and ultimately, a complete takeover of the affected environment. While the specific number of victims and sectors targeted are unknown, the impact can be significant for organizations relying on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003enltest.exe\u003c/code\u003e with command-line arguments indicative of domain trust discovery, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enltest.exe\u003c/code\u003e execution, especially when initiated by non-administrative users or from unusual locations, as identified by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enltest.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T17:49:00Z","date_published":"2024-01-11T17:49:00Z","id":"/briefs/2024-01-nltest-domain-trust-discovery/","summary":"Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.","title":"NLTEST.EXE Used for Domain Trust Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows NT Domain","version":"https://jsonfeed.org/version/1.1"}