Potential Recon Activity Via Nltest.EXE

Detects nltest commands that can be used for information discovery

Sigma rule (View on GitHub)

 1title: Potential Recon Activity Via Nltest.EXE
 2id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
 3related:
 4    - id: 410ad193-a728-4107-bc79-4419789fcbf8
 5      type: similar
 6    - id: 903076ff-f442-475a-b667-4f246bcc203b
 7      type: similar
 8    - id: 77815820-246c-47b8-9741-e0def3f57308
 9      type: obsolete
10status: test
11description: Detects nltest commands that can be used for information discovery
12references:
13    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
14    - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
15    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
16    - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
17    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
18    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
19    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
20    - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
21author: Craig Young, oscd.community, Georg Lauenstein
22date: 2021-07-24
23modified: 2023-12-15
24tags:
25    - attack.discovery
26    - attack.t1016
27    - attack.t1482
28logsource:
29    category: process_creation
30    product: windows
31detection:
32    selection_nltest:
33        - Image|endswith: '\nltest.exe'
34        - OriginalFileName: 'nltestrk.exe'
35    selection_recon:
36        - CommandLine|contains|all:
37              - 'server'
38              - 'query'
39        - CommandLine|contains:
40              - '/user'
41              - 'all_trusts' # Flag for /domain_trusts
42              - 'dclist:'
43              - 'dnsgetdc:'
44              - 'domain_trusts'
45              - 'dsgetdc:'
46              - 'parentdomain'
47              - 'trusted_domains'
48    condition: all of selection_*
49falsepositives:
50    - Legitimate administration use but user and host must be investigated
51level: medium

References

Related rules

to-top