Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts()
Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-4 | Information Flow Enforcement | Protects | T1482 | Domain Trust Discovery |
CA-8 | Penetration Testing | Protects | T1482 | Domain Trust Discovery |
CM-6 | Configuration Settings | Protects | T1482 | Domain Trust Discovery |
CM-7 | Least Functionality | Protects | T1482 | Domain Trust Discovery |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1482 | Domain Trust Discovery |
SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1482 | Domain Trust Discovery |
SA-8 | Security and Privacy Engineering Principles | Protects | T1482 | Domain Trust Discovery |
SC-46 | Cross Domain Policy Enforcement | Protects | T1482 | Domain Trust Discovery |
SC-7 | Boundary Protection | Protects | T1482 | Domain Trust Discovery |