Analytics Story: Domain Trust Discovery

Date: 2021-03-25 ID: e6f30f14-8daf-11eb-a017-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

Why it matters

Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
DSQuery Domain Discovery	Domain Trust Discovery	TTP
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Windows AdFind Exe	Remote System Discovery	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

https://attack.mitre.org/techniques/T1482/

Source: GitHub | Version: 1