T1482 Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.01 Network segmentation Mitigates T1482 Domain Trust Discovery
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-06 Configuration Settings mitigates T1482 Domain Trust Discovery
    SA-17 Developer Security and Privacy Architecture and Design mitigates T1482 Domain Trust Discovery
    RA-05 Vulnerability Monitoring and Scanning mitigates T1482 Domain Trust Discovery
    SC-46 Cross Domain Policy Enforcement mitigates T1482 Domain Trust Discovery
    CM-02 Baseline Configuration mitigates T1482 Domain Trust Discovery
    SA-08 Security and Privacy Engineering Principles mitigates T1482 Domain Trust Discovery
    CM-07 Least Functionality mitigates T1482 Domain Trust Discovery
    AC-04 Information Flow Enforcement mitigates T1482 Domain Trust Discovery
    SC-07 Boundary Protection mitigates T1482 Domain Trust Discovery

    Known Exploited Vulnerabilities Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CVE-2023-22952 Multiple SugarCRM Products Remote Code Execution Vulnerability secondary_impact T1482 Domain Trust Discovery
    Comments
    This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs. The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.
    References
    CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1482 Domain Trust Discovery
    Comments
    This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
    References

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.malware.variety.Scan network Enumerating the state of the network related-to T1482 Domain Trust Discovery

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    microsoft_sentinel Microsoft Sentinel technique_scores T1482 Domain Trust Discovery
    Comments
    The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.
    References
    azure_network_security_groups Azure Network Security Groups technique_scores T1482 Domain Trust Discovery
    defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1482 Domain Trust Discovery
    Comments
    This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
    References

    AWS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1482 Domain Trust Discovery
    Comments
    VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery.
    References

    M365 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1482 Domain Trust Discovery
    Comments
    This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
    References