title: Recon Activity with NLTEST
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021/07/24
description: Detects nltest commands that can be used for information discovery
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\nltest.exe'
  SELECTION_3:
    CommandLine: '*/server*'
  SELECTION_4:
    CommandLine: '*/query*'
  SELECTION_5:
    CommandLine:
    - '*/dclist:*'
    - '*/parentdomain*'
    - '*/domain_trusts*'
    - '*/trusted_domains*'
    - '*/user*'
  condition: (SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4) or SELECTION_5))
falsepositives:
- Legitimate administration use but user must be check out
fields:
- Image
- User
- CommandLine
- ParentCommandLine
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
level: medium
logsource:
  category: process_creation
  product: windows
modified: 2021/08/19
references:
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://attack.mitre.org/techniques/T1482/
- https://attack.mitre.org/techniques/T1016/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
status: experimental
tags:
- attack.discovery
- attack.t1016
- attack.t1482
ruletype: SIGMA