{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nltest/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Server","Active Directory"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","nltest","domain-trust"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003enltest.exe\u003c/code\u003e utility is a command-line tool used for managing and troubleshooting Windows NT Domains. While legitimate domain administrators may occasionally use \u003ccode\u003enltest.exe\u003c/code\u003e for information gathering, adversaries can leverage it to enumerate domain trusts and understand trust relationships within a target environment. This information can be critical for planning subsequent attack stages, such as lateral movement. This activity is most relevant in environments with older Windows Server versions (pre-2012), as newer systems have alternative tools. The activity can also be indicative of attackers trying to identify ways to move laterally within the network or gain access to sensitive resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to a compromised host within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enltest.exe\u003c/code\u003e with specific arguments to enumerate domain trusts. Example arguments include \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, and \u003ccode\u003e/DCLIST\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enltest.exe\u003c/code\u003e queries the Active Directory domain controller for information about trust relationships.\u003c/li\u003e\n\u003cli\u003eThe domain controller responds with a list of trusted domains and their attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of \u003ccode\u003enltest.exe\u003c/code\u003e to identify potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses discovered trust relationships to attempt authentication or access resources in other domains.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker moves laterally to other systems within the trusted domains.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to gain access to sensitive data, escalate privileges, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts can provide attackers with valuable information about the network topology and trust relationships, enabling them to move laterally within the environment. This can lead to unauthorized access to sensitive data, privilege escalation, and potential disruption of critical services. The impact is amplified in environments with complex trust configurations or older Windows Server versions, where \u003ccode\u003enltest.exe\u003c/code\u003e remains a relevant tool for domain management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enltest.exe\u003c/code\u003e with command-line arguments related to domain trust discovery (e.g., \u003ccode\u003e/DOMAIN_TRUSTS\u003c/code\u003e, \u003ccode\u003e/PARENTDOMAIN\u003c/code\u003e, \u003ccode\u003e/DCLIST\u003c/code\u003e) using the Sigma rule \u0026quot;Detect Suspicious NLTEST Execution for Domain Trust Discovery\u0026quot;.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003enltest.exe\u003c/code\u003e execution originating from unusual or non-administrative user accounts.\u003c/li\u003e\n\u003cli\u003eAudit and review existing domain trust configurations to identify and remediate any overly permissive trust relationships.\u003c/li\u003e\n\u003cli\u003eConsider disabling or restricting the use of \u003ccode\u003enltest.exe\u003c/code\u003e on non-administrative workstations where it is not required.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Event Logging, Sysmon or other endpoint detection to capture process creation events and command-line arguments for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/","summary":"Adversaries may use `nltest.exe` to enumerate domain trusts, gaining insight into trust relationships and the state of Domain Controller replication within a Windows NT Domain, potentially leading to lateral movement.","title":"NLTEST.EXE Used for Domain Trust Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Nltest","version":"https://jsonfeed.org/version/1.1"}