52 lines
1.6 KiB
YAML
52 lines
1.6 KiB
YAML
|
|
title: Domain Trust Discovery
|
|
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community,
|
|
omkar72
|
|
date: 2019/10/24
|
|
description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery.
|
|
This technique is used by attackers to enumerate Active Directory trusts.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
Image: '*\nltest.exe'
|
|
SELECTION_3:
|
|
CommandLine:
|
|
- '*domain_trusts*'
|
|
- '*all_trusts*'
|
|
- '*/trusted_domains*'
|
|
- '*/dclist*'
|
|
SELECTION_4:
|
|
Image: '*\dsquery.exe'
|
|
SELECTION_5:
|
|
CommandLine: '*trustedDomain*'
|
|
SELECTION_6:
|
|
Image: '*\dsquery.exe'
|
|
SELECTION_7:
|
|
CommandLine: '*-filter*'
|
|
SELECTION_8:
|
|
CommandLine: '*trustedDomain*'
|
|
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
|
|
or (SELECTION_6 and SELECTION_7 and SELECTION_8)))
|
|
falsepositives:
|
|
- Legitimate use of the utilities by legitimate user for legitimate reason
|
|
id: 3bad990e-4848-4a78-9530-b427d854aac0
|
|
level: medium
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
modified: 2021/07/09
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
|
|
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
|
|
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
|
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
|
- https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
|
|
related:
|
|
- id: 77815820-246c-47b8-9741-e0def3f57308
|
|
type: obsoletes
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1482
|