Domain Trust Discovery (T1482)

Information

• Name: Domain Trust Discovery

• ID: T1482

• Tactics:

Introduction

Domain Trust Discovery is a technique identified within the MITRE ATT&CK framework under tactic "Discovery" (T1482). It involves adversaries enumerating and discovering trust relationships between Windows Active Directory domains. Attackers perform this action to understand the domain structure, identify trusted domains, and potentially exploit these trust relationships to achieve lateral movement, privilege escalation, or persistence within an organization's network.

Deep Dive Into Technique

Domain Trust Discovery typically leverages built-in Windows utilities and commands to enumerate trust relationships. Trust relationships define the security boundaries and authentication paths between distinct Active Directory domains or forests. Attackers use this information to identify potential paths for lateral movement and privilege escalation.

Technical execution methods include:

• Native Windows Tools and Commands:

  • nltest.exe: A command-line utility available by default on Windows, used to enumerate domain trusts.

    • Example usage: nltest /domain_trusts

  • dsquery: Active Directory query tool used to discover domain trust information.

    • Example usage: dsquery * -filter "(objectClass=trustedDomain)" -attr *

  • PowerShell cmdlets:

    • Get-ADTrust: Retrieves trust relationships from Active Directory.

      • Example usage: Get-ADTrust -Filter *

    • Get-ADForest: Provides details about forest trusts.

      • Example usage: (Get-ADForest).Domains

  • netdom: Command-line utility used to manage domain relationships.

    • Example usage: netdom query trust

• Third-Party Tools:

  • BloodHound: Graphical tool for visualizing Active Directory trusts and attack paths.

  • PowerView (part of PowerSploit framework): PowerShell-based enumeration tool for Active Directory reconnaissance.

    • Example usage: Invoke-MapDomainTrust

Attackers typically execute these commands or scripts from compromised endpoints or domain-joined hosts to gather intelligence about the organization's Active Directory environment.

When this Technique is Usually Used

Domain Trust Discovery is commonly observed during multiple stages of the cyber kill chain, primarily:

• Reconnaissance and Discovery:

  • Attackers gather information about the target organization's Active Directory structure and inter-domain relationships.

  • Identification of trust relationships helps attackers plan further exploitation and lateral movement.

• Lateral Movement:

  • Attackers leverage discovered trust relationships to move laterally across trusted domains and forests.

  • Exploiting trust relationships allows attackers to access resources in other domains without needing separate credentials.

• Privilege Escalation:

  • Attackers may exploit trust relationships to elevate privileges by accessing domains with higher-level permissions or fewer security controls.

• Persistence and Long-term Access:

  • Attackers establish persistence by leveraging inter-domain trusts to maintain access even after initial access vectors have been mitigated.

How this Technique is Usually Detected

Detection of Domain Trust Discovery involves monitoring and analyzing specific activities and artifacts within Windows environments:

• Command Execution Monitoring:

  • Monitor process execution logs and command-line arguments for suspicious utilities:

    • nltest.exe, dsquery.exe, netdom.exe, PowerShell cmdlets (Get-ADTrust, Get-ADForest).

  • Alert on unusual or unauthorized executions of these commands.

• Windows Event Logs:

  • Monitor Windows Security and Sysmon logs for unusual process creation events (Event ID 4688 in Security logs, Event ID 1 in Sysmon logs).

  • Specifically track execution of utilities associated with domain enumeration.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions can detect usage patterns of enumeration tools and PowerShell scripts commonly associated with domain trust discovery.

• Network Traffic Analysis:

  • Monitor network traffic for LDAP queries and DNS lookups indicative of domain enumeration activities.

  • Identify unusual LDAP queries targeting domain controllers or Active Directory resources.

• Indicators of Compromise (IoCs):

  • Suspicious command-line executions:

    • nltest /domain_trusts

    • dsquery * -filter "(objectClass=trustedDomain)"

    • PowerShell invocations such as Invoke-MapDomainTrust

  • Unusual LDAP queries to Active Directory servers.

  • Execution of enumeration scripts like PowerView or BloodHound.

Why it is Important to Detect This Technique

Detecting Domain Trust Discovery is critical due to its potential impact on network security and organizational integrity:

• Lateral Movement Risk:

  • Attackers leverage trust relationships to move laterally across domains, expanding their foothold and increasing the attack surface.

• Privilege Escalation Potential:

  • Trust relationships can enable attackers to access sensitive domains or resources with elevated privileges, leading to further compromise.

• Persistence and Long-term Compromise:

  • Exploiting trusts allows attackers to maintain long-term persistence, complicating remediation efforts.

• Data Exfiltration and Sensitive Information Exposure:

  • Attackers gaining access to trusted domains can exfiltrate sensitive data, intellectual property, or credentials.

• Early Detection and Mitigation:

  • Early detection of domain trust enumeration activities enables security teams to proactively respond, isolate compromised hosts, and prevent further exploitation.

Examples

Real-world examples demonstrating Domain Trust Discovery include:

• APT29 (Cozy Bear) Operations:

  • Attackers leveraged tools such as PowerView and custom scripts to enumerate domain trusts within victim environments.

  • Enumeration allowed attackers to identify and exploit trusted relationships, facilitating lateral movement and persistence.

• APT32 (OceanLotus) Campaigns:

  • Utilized native Windows commands (nltest, dsquery) to enumerate Active Directory domains and trusts.

  • Enabled attackers to identify high-value targets and escalate privileges.

• NotPetya Ransomware Attack (2017):

  • Attackers utilized Active Directory enumeration tools to map domain trusts and rapidly propagate malware across trusted domains and networks.

  • Resulted in widespread operational disruption and significant financial losses.

• BloodHound Tool Usage:

  • Attackers frequently use BloodHound to visualize domain trust relationships and identify potential attack paths.

  • BloodHound was notably utilized in penetration testing engagements and real-world intrusions to facilitate lateral movement and privilege escalation.

In each of these examples, attackers leveraged domain trust enumeration techniques to achieve objectives such as lateral movement, privilege escalation, and persistence, highlighting the critical importance of detecting and mitigating this technique.