MITRE’s data sources
- Azure activity logs
- Office 365 account logs
- API monitoring
- Process monitoring
- Process command-line parameters
While MITRE does not include it among its data sources, network logs for LDAP queries (typically port 389 over TCP/UDP) are another good collection source for defenders seeking to observe Domain Trust Discovery activity. Security teams seeking to observe malicious instances of Domain Trust Discovery will also want to collect logs relating to process monitoring and process command-line parameters.
The analytics that will uncover Domain Trust Discovery attempts are relatively simple, but they vary in feasibility as your environment scales. Most organizations can work to detect nltest.exe with these command lines:
In a similar vein to nltest.exe, dsquery.exe can be used to enumerate domain trusts with the following command line:
- dsquery *
-filter "(objectClass=trustedDomain)" -attr *
The ADFind tool can also be used to query domain trusts with the following command lines:
If you are able to collect and analyze LDAP queries, you’ll want to scrutinize any that originate from non-DCs with the substring
(objectClass=trustedDomain), especially if other suspicious reconnaissance actions are identified.
Weeding out false positives
Looking for generic detection of nltest.exe without specific command-line options will lead you down some high-volume paths. The best route with this technique is to be specific.