- Home
- Techniques
- Enterprise
- Domain Trust Discovery
Domain Trust Discovery
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]
Procedure Examples
| Name | Description |
|---|---|
| dsquery |
dsquery can be used to gather information on domain trusts with |
| Empire | |
| Nltest |
Nltest may be used to enumerate trusted domains by using commands such as |
| PoshC2 | |
| PowerSploit |
PowerSploit has modules such as |
| TrickBot |
TrickBot can gather information about domain trusts by utilizing Nltest.[6] |
| Wizard Spider |
Wizard Spider has used |
Mitigations
| Mitigation | Description |
|---|---|
| Audit |
Map the trusts within existing domains/forests and keep trust relationships to a minimum. |
| Network Segmentation |
Employ network segmentation for sensitive domains.[3]. |
Detection
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation but as part of a chain of behavior that could lead to other activities based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information. Look for the DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[3] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[12]
References
- Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.
- Metcalf, S. (2015, July 15). It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.
- Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.
- Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.
- ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
- Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.