Enumerating Domain Trust Relationships with Nltest.exe
Left unchecked, SocGholish may lead to domain discovery. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Enumerating Domain Trust Relationships with Nltest.exe
2id: 3ddc7df5-780a-442a-8d41-269f476ed24a
3status: experimental
4description: |
5 Left unchecked, SocGholish may lead to domain discovery. This type of behavior is
6 often a precursor to ransomware activity, and should be quickly quelled to prevent
7 further progression of the threat. Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/threats/socgholish/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.discovery
14 - attack.t1482
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\nltest.exe'
21 CommandLine|contains:
22 - '/domain_trusts'
23 - '/all_trusts'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low```
References
-
SocGholish leverages drive-by-downloads masquerading as software updates to trick visitors of compromised websites into executing malware.
Read More
Related rules
- AdFind Discovery
- SocGholish NLTest Domain Trust Enumeration (RedCanary Threat Detection Report)
- WMI Reconnaissance
- Whoami Recon Writing Output to File
- Invoke-ShareFinder Discovery Activity