Domain Trust Discovery Via Dsquery

Feb 3, 2023 · attack.discovery attack.t1482 ·

Detects execution of "dsquery.exe" for domain trust discovery

Sigma rule (View on GitHub)

 1title: Domain Trust Discovery Via Dsquery
 2id: 3bad990e-4848-4a78-9530-b427d854aac0
 3related:
 4    - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b
 5      type: similar
 6    - id: 77815820-246c-47b8-9741-e0def3f57308
 7      type: obsoletes
 8status: test
 9description: Detects execution of "dsquery.exe" for domain trust discovery
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
12    - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
13author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
14date: 2019/10/24
15modified: 2023/02/02
16tags:
17    - attack.discovery
18    - attack.t1482
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\dsquery.exe'
25        - OriginalFileName: 'dsquery.exe'
26    selection_cli:
27        CommandLine|contains: 'trustedDomain'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate use of the utilities by legitimate user for legitimate reason
31level: medium

References

atomic-red-team/atomics/T1482/T1482.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch

Introduction

Read More

Domain Trust Discovery Via Dsquery

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1482/T1482.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch

Related rules