Domain Trust Discovery, Technique T1482 - Enterprise (original) (raw)
AdFind can gather information about organizational units (OUs) and domain trusts from Active Directory.[5][6][7][8]
Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.[9]
BADHATCH can use nltest.exe /domain_trusts to discover domain trust relationships on a compromised machine.[10]
Bazar can use Nltest tools to obtain information about the domain.[11][12]
BloodHound has the ability to map domain trusts and identify misconfigurations for potential abuse.[13]
Brute Ratel C4 can use LDAP queries and nltest /domain_trusts for domain trust discovery.[14][15]
During C0015, the threat actors used the command nltest /domain_trusts /all_trusts to enumerate domain trusts.[16]
Chimera has nltest /domain_trusts to identify domain trust relationships.[17]
dsquery can be used to gather information on domain trusts with dsquery * -filter "(objectClass=trustedDomain)" -attr *.[3]
DUSTTRAP can identify Active Directory information and related items.[18]
Earth Lusca has used Nltest to obtain information about domain controllers.[19]
Empire has modules for enumerating domain trusts.[20]
FIN8 has retrieved a list of trusted domains by using nltest.exe /domain_trusts.[21]
IcedID used Nltest during initial discovery.[22][23]
Latrodectus can run C:\Windows\System32\cmd.exe /c nltest /domain_trusts to discover domain trusts.[24][25]
Magic Hound has used a web shell to execute nltest /trusted_domains to identify trust relationships.[26]
MgBot includes modules for collecting information on local domain users and permissions.[27]
Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[28][29]
Pikabot will gather information concerning the Windows Domain the victim machine is a member of during execution.[30]
PoshC2 has modules for enumerating domain trusts.[31]
PowerSploit has modules such as Get-NetDomainTrust and Get-NetForestTrust to enumerate domain and forest trusts.[32][33]
QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.[34]
Rubeus can gather information about domain trusts.[35][36]
SocGholish can profile compromised systems to identify domain trust relationships.[37][38]
During the SolarWinds Compromise, APT29 used the Get-AcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.[39] They also used AdFind to enumerate domains and to discover trust between federated domains.[40][41]
TrickBot can gather information about domain trusts by utilizing Nltest.[29][42]