Enumerating Domain Trusts via NLTEST.EXE

calendarMar 5, 2023  ·
Share on: linkedincopy

Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/05/31"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to
13enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC)
14replication in a Microsoft Windows NT Domain.
15"""
16false_positives = [
17    """
18    Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not
19    common for environments with Windows Server 2012 and newer.
20    """,
21]
22from = "now-9m"
23index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Enumerating Domain Trusts via NLTEST.EXE"
27note = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
30"""
31references = [
32    "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
33    "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
34]
35risk_score = 21
36rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd"
37severity = "low"
38tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where host.os.type == "windows" and event.type == "start" and
44    process.name : "nltest.exe" and process.args : (
45        "/DCLIST:*", "/DCNAME:*", "/DSGET*",
46        "/LSAQUERYFTI:*", "/PARENTDOMAIN",
47        "/DOMAIN_TRUSTS", "/BDC_QUERY:*")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1482"
55name = "Domain Trust Discovery"
56reference = "https://attack.mitre.org/techniques/T1482/"
57[[rule.threat.technique]]
58id = "T1018"
59name = "Remote System Discovery"
60reference = "https://attack.mitre.org/techniques/T1018/"
61
62[rule.threat.tactic]
63id = "TA0007"
64name = "Discovery"
65reference = "https://attack.mitre.org/tactics/TA0007/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top