Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.01 | Network segmentation | Mitigates | T1482 | Domain Trust Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation for sensitive domains can help prevent adversary exploitation of domain trust relationships.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1482 | Domain Trust Discovery | |
| SA-17 | Developer Security and Privacy Architecture and Design | mitigates | T1482 | Domain Trust Discovery | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1482 | Domain Trust Discovery | |
| SC-46 | Cross Domain Policy Enforcement | mitigates | T1482 | Domain Trust Discovery | |
| CM-02 | Baseline Configuration | mitigates | T1482 | Domain Trust Discovery | |
| SA-08 | Security and Privacy Engineering Principles | mitigates | T1482 | Domain Trust Discovery | |
| CM-07 | Least Functionality | mitigates | T1482 | Domain Trust Discovery | |
| AC-04 | Information Flow Enforcement | mitigates | T1482 | Domain Trust Discovery | |
| SC-07 | Boundary Protection | mitigates | T1482 | Domain Trust Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Scan network | Enumerating the state of the network | related-to | T1482 | Domain Trust Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1482 | Domain Trust Discovery |
Comments
VPC security groups and network access control lists (NACLs) can be used to isolate sensitive domains to limit discovery.
References
|