Domain Trust Discovery, Technique T1482 - Enterprise (original) (raw)

AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.[5][6][7][8]

Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.[9]

S1081

BADHATCH

BADHATCH can use nltest.exe /domain_trusts to discover domain trust relationships on a compromised machine.[10]

S0534

Bazar

Bazar can use Nltest tools to obtain information about the domain.[11][12]

G1043

BlackByte

BlackByte enumerated Active Directory information and trust relationships during operations.[13][14]

S0521

BloodHound

BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[15]

S1063

Brute Ratel C4

Brute Ratel C4 can use LDAP queries and nltest /domain_trusts for domain trust discovery.[16][17]

C0015

During C0015, the threat actors used the command nltest /domain_trusts /all_trusts to enumerate domain trusts.[18]

G0114

Chimera

Chimera has nltest /domain_trusts to identify domain trust relationships.[19]

S0105

dsquery

dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]

S1159

DUSTTRAP

DUSTTRAP can identify Active Directory information and related items.[20]

G1006

Earth Lusca

Earth Lusca has used Nltest to obtain information about domain controllers.[21]

S0363

Empire

Empire has modules for enumerating domain trusts.[22]

G0061

FIN8

FIN8 has retrieved a list of trusted domains by using nltest.exe /domain_trusts.[23]

S0483

IcedID

IcedID used Nltest during initial discovery.[24][25]

S1160

Latrodectus

Latrodectus can run C:\Windows\System32\cmd.exe /c nltest /domain_trusts to discover domain trusts.[26][27]

C0049

Leviathan Australian Intrusions

Leviathan performed Active Directory enumeration of victim environments during Leviathan Australian Intrusions.[28]

G0030

Lotus Blossom

Lotus Blossom has used tools such as AdFind to make Active Directory queries.[29]

G0059

Magic Hound

Magic Hound has used a web shell to execute nltest /trusted_domains to identify trust relationships.[30]

S1146

MgBot

MgBot includes modules for collecting information on local domain users and permissions.[31]

S0359

Nltest

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[32][33]

S1145

Pikabot

Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.[34]

S0378

PoshC2

PoshC2 has modules for enumerating domain trusts.[35]

S0194

PowerSploit

PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[36][37]

S0650

QakBot

QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.[38]

S1071

Rubeus

Rubeus can gather information about domain trusts.[39][40]

S1124

SocGholish

SocGholish can profile compromised systems to identify domain trust relationships.[41][42]

C0024

SolarWinds Compromise

During the SolarWinds Compromise, APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[43] They also used AdFind to enumerate domains and to discover trust between federated domains.[44][45]

G1046

Storm-1811

Storm-1811 has enumerated domain accounts and access during intrusions.[46]

S0266

TrickBot

TrickBot can gather information about domain trusts by utilizing Nltest.[33][47]