forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
domain_trust_discovery.yml
25 lines (25 loc) · 1.08 KB
/
domain_trust_discovery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: Domain Trust Discovery
id: e6f30f14-8daf-11eb-a017-acde48001122
version: 1
date: '2021-03-25'
author: Michael Haag, Splunk
description: Adversaries may attempt to gather information on domain trust relationships
that may be used to identify lateral movement opportunities in Windows multi-domain/forest
environments.
narrative: Domain trusts provide a mechanism for a domain to allow access to resources
based on the authentication procedures of another domain. Domain trusts allow the
users of the trusted domain to access resources in the trusting domain. The information
discovered may help the adversary conduct SID-History Injection, Pass the Ticket,
and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts()
Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be
used by adversaries to enumerate domain trusts.
references:
- https://attack.mitre.org/techniques/T1482/
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection