Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
Sigma rule (View on GitHub)
1title: Potential Recon Activity Via Nltest.EXE
2id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
3related:
4 - id: 410ad193-a728-4107-bc79-4419789fcbf8
5 type: similar
6 - id: 903076ff-f442-475a-b667-4f246bcc203b
7 type: similar
8 - id: 77815820-246c-47b8-9741-e0def3f57308
9 type: obsoletes
10status: test
11description: Detects nltest commands that can be used for information discovery
12references:
13 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
14 - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
15 - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
16 - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
17 - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
18 - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
19 - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
20 - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
21author: Craig Young, oscd.community, Georg Lauenstein
22date: 2021/07/24
23modified: 2023/12/15
24tags:
25 - attack.discovery
26 - attack.t1016
27 - attack.t1482
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection_nltest:
33 - Image|endswith: '\nltest.exe'
34 - OriginalFileName: 'nltestrk.exe'
35 selection_recon:
36 - CommandLine|contains|all:
37 - 'server'
38 - 'query'
39 - CommandLine|contains:
40 - '/user'
41 - 'all_trusts' # Flag for /domain_trusts
42 - 'dclist:'
43 - 'dnsgetdc:'
44 - 'domain_trusts'
45 - 'dsgetdc:'
46 - 'parentdomain'
47 - 'trusted_domains'
48 condition: all of selection_*
49falsepositives:
50 - Legitimate administration use but user and host must be investigated
51level: medium
References
-
In this intrusion, we will take a look at a Trickbot infection, where soon after gaining access, the threat actor started to enumerate the target network and dump credential information. A setup file, which attempted to masquerade as a legitimate software installer, was deployed on several systems to fetch additional Cobalt Strike beacons.
Read More -
Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial … Read More
Read More -
😎Hardware/Physical Access Physical AttacksEscaping from KIOSKsFirmware AnalysisBootloader testingFirmware Integrity
Read More -
This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement.
Read More -
Domain Trust Discovery via Nltest.exe Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. id:03e231a6-74bc-467a-...
Read More -
We recently helped stop a Ryuk ransomware infection at a hospital. Here are the ten behaviors we detected to prevent this threat.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Nltest.EXE Execution
- PUA - AdFind Suspicious Execution
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- HackTool - Bloodhound/Sharphound Execution
- Renamed AdFind Execution