1. Home
  2. ATT&CK Techniques
  3. T1482 Domain Trust Discovery

T1482 Domain Trust Discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.01 Network segmentation Mitigates T1482 Domain Trust Discovery
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-06 Configuration Settings mitigates T1482 Domain Trust Discovery
    SA-17 Developer Security and Privacy Architecture and Design mitigates T1482 Domain Trust Discovery
    RA-05 Vulnerability Monitoring and Scanning mitigates T1482 Domain Trust Discovery
    SC-46 Cross Domain Policy Enforcement mitigates T1482 Domain Trust Discovery
    CM-02 Baseline Configuration mitigates T1482 Domain Trust Discovery
    SA-08 Security and Privacy Engineering Principles mitigates T1482 Domain Trust Discovery
    CM-07 Least Functionality mitigates T1482 Domain Trust Discovery
    AC-04 Information Flow Enforcement mitigates T1482 Domain Trust Discovery
    SC-07 Boundary Protection mitigates T1482 Domain Trust Discovery

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.malware.variety.Scan network Enumerating the state of the network related-to T1482 Domain Trust Discovery

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    microsoft_sentinel Microsoft Sentinel technique_scores T1482 Domain Trust Discovery
    Comments
    The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.
    References
    1. https://learn.microsoft.com/en-us/azure/sentinel/overview
    2. https://learn.microsoft.com/en-us/azure/sentinel/hunting
    azure_network_security_groups Azure Network Security Groups technique_scores T1482 Domain Trust Discovery
    Comments
    This control can be used to isolate sensitive domains to limit discovery.
    References
    1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
    2. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
    3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
    defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1482 Domain Trust Discovery
    Comments
    This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
    References
    1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
    2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction
    3. https://azure.microsoft.com/en-us/services/app-service/
    4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

    AWS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1482 Domain Trust Discovery
    Comments
    VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery.
    References
    1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html

    M365 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    DEF-ID-E5 Microsoft Defender for Identity Technique Scores T1482 Domain Trust Discovery
    Comments
    This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
    References
    1. https://learn.microsoft.com/en-us/defender-for-identity/what-is