EXPLORE

← Back to Explore

T1482

Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SI...

Windows

38

Detections

3

Sources

9

Threat Actors

BY SOURCE

17sigma13splunk_escu8elastic

PROCEDURES (24)

Process Creation Monitoring7 detections

Auto-extracted: 7 detections for process creation monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Lateral3 detections

Auto-extracted: 3 detections for lateral

Script Block2 detections

Auto-extracted: 2 detections for script block

Spray2 detections

Auto-extracted: 2 detections for spray

Powershell2 detections

Auto-extracted: 2 detections for powershell

Powershell2 detections

Auto-extracted: 2 detections for powershell

Azure1 detections

Auto-extracted: 1 detections for azure

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

Remote1 detections

Auto-extracted: 1 detections for remote

Powershell1 detections

Auto-extracted: 1 detections for powershell

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Spray1 detections

Auto-extracted: 1 detections for spray

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Azure1 detections

Auto-extracted: 1 detections for azure

THREAT ACTORS (9)

Akira BlackByte Chimera Earth Lusca FIN8 Lotus Blossom Magic Hound Storm-0501 Storm-1811

DETECTIONS (38)

Active Directory Database Snapshot Via ADExplorer

Active Directory Discovery using AdExplorer

ADExplorer Writing Complete AD Snapshot Into .dat File

AdFind Command Activity

BloodHound Collection Files

Detect AzureHound Command-Line Arguments

Detect AzureHound File Modifications

Detect SharpHound Command-Line Arguments

Detect SharpHound File Modifications

Detect SharpHound Usage

DNS Server Discovery Via LDAP Query

Domain Trust Discovery Via Dsquery

DSQuery Domain Discovery

Enumerating Domain Trusts via DSQUERY.EXE

Enumerating Domain Trusts via NLTEST.EXE

Get-DomainTrust with PowerShell

Get-DomainTrust with PowerShell Script Block

Get-ForestTrust with PowerShell

Get-ForestTrust with PowerShell Script Block

HackTool - Bloodhound/Sharphound Execution

HackTool - SharpView Execution

HackTool - TruffleSnout Execution

Malicious PowerShell Commandlets - PoshModule

Malicious PowerShell Commandlets - ProcessCreation

Malicious PowerShell Commandlets - ScriptBlock

Network Traffic to Active Directory Web Services Protocol

NLTest Domain Trust Discovery

Nltest.EXE Execution

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Potential PowerShell HackTool Script by Function Names

Potential Recon Activity Via Nltest.EXE

PowerShell Suspicious Discovery Related Windows API Functions

PUA - AdFind Suspicious Execution

Renamed AdFind Execution

Suspicious Access to LDAP Attributes

Suspicious Active Directory Database Snapshot Via ADExplorer

Suspicious JetBrains TeamCity Child Process

Windows SOAPHound Binary Execution