Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1482 | Domain Trust Discovery | |
| CA-8 | Penetration Testing | Protects | T1482 | Domain Trust Discovery | |
| CM-6 | Configuration Settings | Protects | T1482 | Domain Trust Discovery | |
| CM-7 | Least Functionality | Protects | T1482 | Domain Trust Discovery | |
| PL-8 | Security and Privacy Architectures | Protects | T1482 | Domain Trust Discovery | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1482 | Domain Trust Discovery | |
| SA-17 | Developer Security and Privacy Architecture and Design | Protects | T1482 | Domain Trust Discovery | |
| SA-8 | Security and Privacy Engineering Principles | Protects | T1482 | Domain Trust Discovery | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1482 | Domain Trust Discovery | |
| SC-7 | Boundary Protection | Protects | T1482 | Domain Trust Discovery | |
| network_security_groups | Network Security Groups | technique_scores | T1482 | Domain Trust Discovery |
Comments
This control can be used to isolate sensitive domains to limit discovery.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1482 | Domain Trust Discovery |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can enumerate domain trusts, but does not address other procedures.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1482 | Domain Trust Discovery |
Comments
This control's "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1482 | Domain Trust Discovery |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Get-NetDomainTrust and Get-NetForestTrust modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|