<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nltest - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/nltest/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/nltest/feed.xml" rel="self" type="application/rss+xml"/><item><title>NLTEST.EXE Used for Domain Trust Discovery</title><link>https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/</link><pubDate>Wed, 03 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nltest-domain-trust-discovery/</guid><description>Adversaries may use `nltest.exe` to enumerate domain trusts, gaining insight into trust relationships and the state of Domain Controller replication within a Windows NT Domain, potentially leading to lateral movement.</description><content:encoded><![CDATA[<p>The <code>nltest.exe</code> utility is a command-line tool used for managing and troubleshooting Windows NT Domains. While legitimate domain administrators may occasionally use <code>nltest.exe</code> for information gathering, adversaries can leverage it to enumerate domain trusts and understand trust relationships within a target environment. This information can be critical for planning subsequent attack stages, such as lateral movement. This activity is most relevant in environments with older Windows Server versions (pre-2012), as newer systems have alternative tools. The activity can also be indicative of attackers trying to identify ways to move laterally within the network or gain access to sensitive resources.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The adversary gains initial access to a compromised host within the target network.</li>
<li>The attacker executes <code>nltest.exe</code> with specific arguments to enumerate domain trusts. Example arguments include <code>/DOMAIN_TRUSTS</code>, <code>/PARENTDOMAIN</code>, and <code>/DCLIST</code>.</li>
<li><code>nltest.exe</code> queries the Active Directory domain controller for information about trust relationships.</li>
<li>The domain controller responds with a list of trusted domains and their attributes.</li>
<li>The attacker parses the output of <code>nltest.exe</code> to identify potential targets for lateral movement.</li>
<li>The attacker uses discovered trust relationships to attempt authentication or access resources in other domains.</li>
<li>If successful, the attacker moves laterally to other systems within the trusted domains.</li>
<li>The ultimate goal is to gain access to sensitive data, escalate privileges, or disrupt services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful enumeration of domain trusts can provide attackers with valuable information about the network topology and trust relationships, enabling them to move laterally within the environment. This can lead to unauthorized access to sensitive data, privilege escalation, and potential disruption of critical services. The impact is amplified in environments with complex trust configurations or older Windows Server versions, where <code>nltest.exe</code> remains a relevant tool for domain management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor process creation events for <code>nltest.exe</code> with command-line arguments related to domain trust discovery (e.g., <code>/DOMAIN_TRUSTS</code>, <code>/PARENTDOMAIN</code>, <code>/DCLIST</code>) using the Sigma rule &quot;Detect Suspicious NLTEST Execution for Domain Trust Discovery&quot;.</li>
<li>Investigate any instances of <code>nltest.exe</code> execution originating from unusual or non-administrative user accounts.</li>
<li>Audit and review existing domain trust configurations to identify and remediate any overly permissive trust relationships.</li>
<li>Consider disabling or restricting the use of <code>nltest.exe</code> on non-administrative workstations where it is not required.</li>
<li>Enable Windows Security Event Logging, Sysmon or other endpoint detection to capture process creation events and command-line arguments for effective detection.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>discovery</category><category>windows</category><category>nltest</category><category>domain-trust</category></item></channel></rss>