Detections
Analytics
Domain Trust Discovery
Description
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Authenticated AD user | LDAP | Trust | Plugin ID: 4-C-DANGEROUS-TRUST-RELATIONSHIP:R-DANGEROUS-TRUST-RELATIONSHIP |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Discovery
Technique: Domain Trust Discovery
Sub-Technique: Domain Trust Discovery
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q2