Detecting domain trust discovery attempts
Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain, allowing the users of the trusted domain to access resources in the trusting domain. Attackers may attempt to perform domain trust discovery as the information they discover can help them to identify lateral movement opportunities in Windows multi-domain/forest environments.
Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.
These searches look for activity consistent with attackers attempting to perform domain trust discovery.
Required data
- Normalized endpoint data, populating the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
- In addition, if you are using Sysmon, you must have at least version 6.0.4.
- To optimize the searches shown below, you should specify an index and a time range when appropriate.
How to use Splunk software for this use case
- ► Windows adfind.exe execution
-
To complete this process, your deployment needs to ingest logs with the process name, and command line executions from your endpoints.
This search looks for the execution of adfind.exe with the filter or search command line arguments that it uses by default. It also considers the arguments necessary like objectcategory. Adfind.exe is rarely used by administrators for legitimate reasons so you should investigate any results that are returned from this search.
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process"="* -f *" OR "Processes.process"="* -b *") ("Processes.process"=*objectcategory* OR "Processes.process"="* -gcb *" OR "Processes.process"="* -sc *")) BY "Processes.dest", "Processes.user", "Processes.process_name", "Processes.process", "Processes.parent_process", "Processes.process_id", "Processes.parent_process_id" | rename "Processes.*" AS "*" | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
- ► Dsquery domain discovery
-
To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints.
This search looks for dsquery.exe execution with arguments looking for a
TrustedDomainquery on the command line, which indicates domain trust discovery is being performed.This search does not identify any other variations of dsquery.exe usage. Within this search, it is assumed that dsquery.exe is not moved or renamed. The search will return the first time and last time these command line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process.
Dsquery.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64 and only on server operating systems. Dsquery.dll is loaded when DSQuery.exe is launched. If you find this DLL loaded by another process, it is possible dsquery is running within that process context in memory.
When reviewing any results from this search, you should review parallel processes for additional behaviors performed, as well as identifying the parent process and capturing any files being used, for example, batch files.
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=dsquery.exe "Processes.process"=*trustedDomain*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" | rename "Processes.*" AS "*" | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) - ► Nltest domain trust discovery
-
To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints.
This search looks for the execution of nltest.exe with command line arguments used to query for domain trust information.
/domain trustsreturns a list of trusted domains, and/all_trustsreturns all trusted domains. Attackers use nltest.exe to enumerate the current domain, which helps them understand where to pivot next.| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=nltest.exe OR "Processes.process_name"!=nltest.exe) ("Processes.process"=*/domain_trusts* OR "Processes.process"=*/all_trusts*)) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" | rename "Processes.*" AS "*" | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) - Next steps
The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.
In addition, these Splunk resources might help you understand and implement this use case: