T1482: Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software mitre_attck_discovery: PT-CR-1081: Domain_Dump_Tools_Via_LDAP: Information is uploaded from a domain controller mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-2117: Windows_Mass_Recon: Large number of reconnaissance-related actions on a host mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump mitre_attck_discovery: PT-CR-336: Domain_Trust_Discovery: An attempt to retrieve a list of trusted domains is detected active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed a suspicious LDAP request that may indicate reconnaissance in the domain hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-2017: SharpHound_LDAP_Requests: Detecting the launch of the SharpHound (BloodHound) tool using one of the methods - ObjectProps, ACL, Trusts, Container.ObjectProps - performs Object Properties collection for properties such as LastLogon or PwdLastSet; ACL - collects abusable permissions on objects in Active Directory; Trusts - collects domain trusts; Container - collects OU tree structure and Group Policy links hacking_tools: PT-CR-1978: SharpHound_Sysvol_Access: The SharpHound (BloodHound) utility used to collect information about Active Directory objects was started using one of the following collection methods: DCOnly, LocalGroup (--Stealth), ComputerOnly (--Stealth), RDP (--Stealth), DCOM (--Stealth), GPOLocalGroup, LocalAdmin (--Stealth) hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to LDAP and MSRPC that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls associated with gathering information on domain trust relationships that may be used to identify lateral movement like DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery. Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.

Mitigation

IDM1047NameAuditDescription

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

IDM1030NameNetwork SegmentationDescription

Employ network segmentation for sensitive domains..