https://feed.craftedsignal.io/tags/domain-trust/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 14:17:05 +0000https://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/Mon, 04 May 2026 14:17:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.The dsquery.exe utility is a command-line tool in Windows used to query Active Directory. Attackers may leverage dsquery.exe to discover domain trust relationships within a Windows environment, mapping out potential lateral movement paths. This discovery is often an early stage in reconnaissance, before an attacker attempts to move laterally to other systems. This activity can be detected across various endpoint detection platforms including Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne. This activity is not inherently malicious, as administrators also use it for legitimate purposes.

Attack Chain

1. An attacker gains initial access to a compromised host within the target environment.
2. The attacker executes dsquery.exe with the argument objectClass=trustedDomain to enumerate domain trusts.
3. The command execution is logged by endpoint detection and response (EDR) solutions or Windows Security Event Logs.
4. The attacker parses the output of the dsquery.exe command to identify trusted domains and their attributes.
5. The attacker uses the discovered trust information to plan lateral movement strategies.
6. The attacker attempts to authenticate to other systems within the trusted domains using stolen credentials or other exploits.

Impact

Successful enumeration of domain trusts enables attackers to map out the Active Directory environment and identify potential pathways for lateral movement. While the enumeration itself is low impact, it facilitates subsequent actions like credential theft, privilege escalation, and data exfiltration. This can lead to widespread compromise across the organization, impacting numerous systems and sensitive data.

Recommendation

• Deploy the Sigma rule “Detect Enumerating Domain Trusts via DSQUERY.EXE” to your SIEM and tune for your environment.
• Investigate any execution of dsquery.exe with the argument objectClass=trustedDomain to identify potentially malicious activity.
• Monitor process execution events for dsquery.exe to detect suspicious command-line arguments and execution patterns.

]]>lowadvisorydiscoverydomain-trustwindowshttps://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/Thu, 11 Jan 2024 17:49:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.The nltest.exe utility is a command-line tool used to manage and troubleshoot Windows NT domains. While legitimate domain administrators may use this utility for information gathering, adversaries can also abuse it to enumerate domain trusts and gain insight into trust relationships, which exposes the state of Domain Controller (DC) replication within a Windows NT Domain. This activity is more suspicious in environments with Windows Server 2012 and newer, where its usage is less common for legitimate purposes. Attackers can leverage this information to facilitate lateral movement and other malicious activities within the network.

Attack Chain

1. An attacker gains initial access to a compromised host within the target environment.
2. The attacker executes nltest.exe with specific arguments such as /DOMAIN_TRUSTS, /DCLIST:*, /DCNAME:*, /DSGET*, /LSAQUERYFTI:*, /PARENTDOMAIN, or /BDC_QUERY:* to enumerate domain trusts.
3. The nltest.exe utility queries the Active Directory to gather information about domain trusts, domain controllers, and other domain-related information.
4. The attacker parses the output of nltest.exe to identify trust relationships, domain controllers, and other relevant information about the domain infrastructure.
5. The attacker uses the gathered information to map out potential lateral movement paths within the environment.
6. The attacker leverages discovered trust relationships to authenticate to other domains or resources.
7. The attacker moves laterally to other systems or domains, leveraging the discovered trust relationships and compromised credentials.
8. The attacker establishes persistence and continues to perform malicious activities, such as data exfiltration or ransomware deployment.

Impact

Successful enumeration of domain trusts via nltest.exe can provide attackers with valuable information to facilitate lateral movement and escalate privileges within a Windows NT Domain. This can lead to the compromise of sensitive data, disruption of critical services, and ultimately, a complete takeover of the affected environment. While the specific number of victims and sectors targeted are unknown, the impact can be significant for organizations relying on Active Directory for authentication and authorization.

Recommendation

• Monitor process execution for nltest.exe with command-line arguments indicative of domain trust discovery, using the provided Sigma rule.
• Investigate any instances of nltest.exe execution, especially when initiated by non-administrative users or from unusual locations, as identified by the Sigma rule.
• Enable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rule.
• Review and restrict the use of nltest.exe to authorized personnel only.

]]>lowadvisorydiscoverydomain trustlateral movementwindows