Detecting domain trust discovery attempts
Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain, allowing the users of the trusted domain to access resources in the trusting domain. Attackers may attempt to perform domain trust discovery as the information they discover can help them to identify lateral movement opportunities in Windows multi-domain/forest environments.
Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.
These searches look for activity consistent with attackers attempting to perform domain trust discovery.
Required data
Normalized endpoint detection and response (EDR) data, populating the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
How to use Splunk software for this use case
- Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.