Trust Modification

Information

• Name: Trust Modification

• ID: T1484.002

• Tactics: TA0005, TA0004

• Technique: T1484

Introduction

Trust Modification [T1484.002] is a sub-technique within the MITRE ATT&CK framework under the broader technique of Domain Policy Modification (T1484). This sub-technique specifically involves adversaries altering trust relationships between domains and systems within Active Directory (AD) environments. By modifying existing trust configurations or creating new unauthorized trust relationships, attackers can escalate privileges, move laterally, and maintain persistent access across multiple domains or forests within an organization's infrastructure.

Deep Dive Into Technique

Trust Modification involves manipulating the trust relationships defined in Active Directory environments. Trusts are established between domains or forests to allow users in one domain to access resources in another. Attackers target these relationships to expand their access and privileges.

Common methods include:

• Modifying Existing Trust Relationships:

  • Attackers with administrative privileges can alter the trust direction (one-way or two-way), type (transitive or non-transitive), or authentication mechanisms (Kerberos or NTLM).

  • Executing commands such as netdom trust or using PowerShell cmdlets, attackers can adjust trust settings to facilitate lateral movement.

• Creating Unauthorized Trust Relationships:

  • Attackers may establish new trust relationships between compromised domains and attacker-controlled domains, providing seamless access to resources.

  • Using built-in Windows tools (netdom, Active Directory Domains and Trusts MMC snap-in) or PowerShell (New-ADTrust), adversaries can silently create new trust relationships.

Technical mechanisms involved:

• Kerberos Delegation Abuse: Attackers may exploit Kerberos delegation settings to escalate privileges across trusted domains.

• SID Filtering Manipulation: By disabling SID filtering protections, attackers can impersonate privileged users across trust boundaries.

• Forest Trust Exploitation: Attackers leverage forest-level trusts to pivot between entire AD forests, significantly expanding their attack surface.

Real-world procedures typically involve:

• Gaining initial administrative access through credential theft or privilege escalation.

• Enumerating existing trust relationships using commands such as:

  Copy

  Get-ADTrust -Filter *
  nltest /domain_trusts

• Modifying or establishing new trust relationships silently to maintain persistent access and lateral movement capability.

When this Technique is Usually Used

Trust Modification typically occurs during:

• Privilege Escalation: Attackers leverage trust relationships to escalate privileges from a lower-privileged domain to a higher-privileged domain.

• Lateral Movement: Attackers use modified or newly created trusts to move laterally between domains or forests within an enterprise.

• Persistence: Adversaries establish persistent access by creating hidden trust relationships, allowing continuous re-entry even after initial compromise remediation.

• Credential Access and Resource Access: By exploiting trust relationships, attackers gain access to sensitive resources, credentials, and critical systems in trusted domains.

Attack scenarios include:

• Advanced Persistent Threat (APT) groups targeting large enterprises or government networks.

• Internal threat actors seeking to maintain long-term access across segmented or multi-forest environments.

• Ransomware operators seeking to spread rapidly across enterprise networks by exploiting trust relationships.

How this Technique is Usually Detected

Detection methods and tools commonly used include:

• Monitoring Active Directory Events:

  • Windows Security Event Logs (Event IDs 4706 and 4707 indicate trust relationship creation or modification).

  • Regular auditing of AD trust relationships via built-in tools or scripts:

    Copy

    Get-ADTrust -Filter * | Select-Object Name, TrustType, TrustDirection, Created

• SIEM and Analytics Solutions:

  • Centralized logging and correlation via Security Information and Event Management (SIEM) solutions (Splunk, QRadar, Elastic Security).

  • Alerting on anomalous trust relationship creation or modification activities.

• Endpoint Detection and Response (EDR) Tools:

  • Detection of suspicious processes (netdom.exe, PowerShell scripts) executed by unusual accounts or at abnormal times.

• Behavioral Analytics:

  • Identifying abnormal lateral movement patterns across domain boundaries.

  • Detecting unusual authentication events or privilege escalation attempts related to modified trust relationships.

Indicators of Compromise (IoCs):

• Unrecognized or newly created trust relationships in Active Directory.

• Unexpected changes in trust configurations (direction, type, SID filtering).

• Suspicious execution of trust management tools (netdom.exe, PowerShell cmdlets) from non-administrative or unexpected accounts.

• Anomalous authentication and access patterns across domain boundaries.

Why it is Important to Detect This Technique

Detecting Trust Modification is critical due to the severe impacts it can have on enterprise security:

• Privilege Escalation and Unauthorized Access: Attackers can escalate privileges across domains, accessing sensitive resources, critical systems, and confidential data.

• Lateral Movement: Compromised trust relationships significantly facilitate lateral movement, enabling attackers to quickly spread throughout an organization's infrastructure.

• Persistence: Unauthorized trust relationships allow attackers to maintain persistent and hidden access, complicating incident response and remediation efforts.

• Data Exfiltration and Intellectual Property Theft: Attackers leveraging trust relationships can access and exfiltrate critical business information, intellectual property, and sensitive user data.

• Operational Disruption: Exploitation of trust relationships can lead to disruption of critical business operations, downtime, and significant financial and reputational damage.

Early detection and prompt response reduce the attacker's window of opportunity, limit lateral movement, and minimize potential damage to organizational assets.

Examples

Real-world examples of Trust Modification include:

• APT29 (Cozy Bear):

  • During the SolarWinds compromise, APT29 leveraged trust relationships between domains to escalate privileges and move laterally within compromised organizations.

  • Tools used included standard Windows utilities (netdom.exe) and PowerShell scripts to manipulate trusts.

  • Impact: Extensive compromise of government and corporate networks, prolonged persistence, and significant data exfiltration.

• NotPetya Ransomware Attack (2017):

  • Attackers exploited existing domain trust relationships within enterprise networks to propagate rapidly across multiple domains and forests.

  • Impact: Severe operational disruption, data loss, and significant financial damage across multiple global enterprises.

• Internal Threat Incident (Financial Sector):

  • An internal actor with administrative privileges created hidden trust relationships between internal domains and external attacker-controlled domains.

  • Tools used included PowerShell scripts executed during off-hours to avoid detection.

  • Impact: Persistent access to sensitive financial data, extensive data exfiltration, and prolonged compromise before detection.

These examples illustrate the critical importance of monitoring and protecting trust relationships within Active Directory environments to prevent extensive organizational compromise.