# T1482 Domain Trust Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as `nltest /domain_trusts`. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the `DSEnumerateDomainTrusts()` Win32 API call to spot activity associated with [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Harmj0y Domain Trusts) Information may also be acquired through Windows system management tools such as [PowerShell](https://attack.mitre.org/techniques/T1059/001). The .NET method `GetAllTrustRelationships()` can be an indicator of [Domain Trust Discovery](https://attack.mitre.org/techniques/T1482).(Citation: Microsoft GetAllTrustRelationships)


-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

### Data Sources:

  * **Process:** Process Creation

  * **Script:** Script Execution

  * **Command:** Command Execution

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used the <code>Get-AcceptedDomain</code> PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.(Citation: Volexity SolarWinds) They also used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domains and to discover trust between federated domains.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has <code>nltest /domain_trusts</code> to identify domain trust relationships.(Citation: NCC Group Chimera January 2021)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has retrieved a list of trusted domains by using <code>[Nltest](https://attack.mitre.org/software/S0359).exe /domain_trusts</code>.(Citation: Bitdefender FIN8 July 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used the <code>Get-AcceptedDomain</code> PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell.(Citation: Volexity SolarWinds) They also used [AdFind](https://attack.mitre.org/software/S0552) to enumerate domains and to discover trust between federated domains.(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: CrowdStrike StellarParticle January 2022)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1482)

  * [Microsoft Operation Wilysupply](https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/), Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.

  * [Adsecurity Forging Trust Tickets](https://adsecurity.org/?p=1588), Metcalf, S. (2015, July 15). It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.

  * [Microsoft Trusts](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)), Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.

  * [Microsoft Getalltrustrelationships](https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships), Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.

  * [Harmj0Y Domain Trusts](https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944), Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Zachary Burke

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use various discovery tools to enumerate a domain environment

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | | |
| APT29 | | |
| Turla | | |

#### Empire
- Empire (used by Turla) has modules for enumerating domain trusts.


## Detection Blindspots

- No known blindspots.

## Analytical References

- https://redcanary.com/threat-detection-report/techniques/domain-trust-discovery/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)
- https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- This technique is frequently seen in tandem with Scheduled Task (T1053), Process Injection (T1055), Windows Admin Shares (T1077), Disabling Security Tools (T1089), Remote File Copy (T1105).

#### Analytic 1

  * **Information:** Trickbot & nltest.exe

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Trickbot has used nltest.exe with these specific commandLine options. Identify victim admin environment to determine relevance.

  * **Query:** ```Event_id : 1 AND process.name : *nltest.exe AND commandLine : */domain_trusts* or */all_trusuts*```


#### Analytic 2

  * **Information:** Wizard Spider & AdFind.exe

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** Wizard Spider has used AdFind.exe to collect information about Active Directory organizational units and trust objects.

  * **Query:** ```Event_id : 1 AND process.name : *adfind.exe AND commandLine : *-f objectclass=trusteddomain* or *-sc trustdmp*```


#### Analytic 3

  * **Information:** DsQuery & Trusted Domains

  * **Source:** 'SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** dsquery.exe can be used to enumerate domain trusts

  * **Query:** ```Event_id : 1 AND process.name : * dsquery.exe and commandLine : *-filter "(objectClass=trustedDomain)" -attr*```


  #### Analytic 4

  * **Information:** PowerSploit & Domain Enumeration

  * **Source:** SYSMON, Windows Audits

  * **Tool:** Kibana

  * **Notes:** PowerSploit uses these modules to enumerate domain and forest trusts.

  * **Query:** ```process.command.line : Get-NetDomainTrust or Get-NetForestTrust```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

