
Summary
This detection rule is designed to identify potential reconnaissance activities conducted using the `nltest.exe` tool on Windows systems. `Nltest.exe` is a command-line tool that can perform various queries related to domain trusts, making it useful for administrators but also for malicious actors seeking to gather information about the environment. The rule monitors process creation events that specifically involve `nltest.exe` and certain command-line arguments that indicate an intent to discover domain trust relationships or gather details about domain controllers. Specifically, the detection logic focuses on the executable’s name and checks for critical command-line parameters that, if used in conjunction, suggest reconnaissance activity. The rule has been authored by notable security professionals and is intended for situations where legitimate administrative tasks could be confused with potentially malicious activities. False positives may arise during legitimate administrative use; thus it’s recommended that users and hosts be investigated in those cases.
Categories
- Windows
- Network
- Identity Management
Data Sources
- Process
ATT&CK Techniques
- T1482
Created: 2021-07-24