Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1482 | Domain Trust Discovery |
| CA-8 | Penetration Testing | Protects | T1482 | Domain Trust Discovery |
| CM-6 | Configuration Settings | Protects | T1482 | Domain Trust Discovery |
| CM-7 | Least Functionality | Protects | T1482 | Domain Trust Discovery |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1482 | Domain Trust Discovery |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1482 | Domain Trust Discovery |
| SA-8 | Security and Privacy Engineering Principles | Protects | T1482 | Domain Trust Discovery |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1482 | Domain Trust Discovery |
| SC-7 | Boundary Protection | Protects | T1482 | Domain Trust Discovery |
| action.malware.variety.Scan network | Enumerating the state of the network | related-to | T1482 | Domain Trust Discovery |