This detection rule identifies the use of 'nltest.exe', a command-line utility, for enumerating domain trusts within Windows Active Directory (AD) environments. Attackers may utilize this technique to gather information about domain trust relationships, which can aid in lateral movement during a cyber attack. The rule captures instances where 'nltest.exe' is executed with specific arguments indicative of trust enumeration. False positives may occur if legitimate domain administrators use this utility for benign information-gathering activities, making it crucial to assess the context of such executions. Investigative steps include analyzing the process execution chain, checking user activity, and correlating with other alerts. Proper response measures involve isolating affected systems and initiating incident response protocols after thorough analysis.