The "NLTest Domain Trust Discovery" analytic detects the execution of the `nltest.exe` command with specific arguments related to domain trust enumeration. This command, when used with `/domain_trusts` or `/all_trusts`, allows for the querying of trust relationships between domains, providing insights into network structures that attackers may exploit for lateral movement. The detection primarily relies on telemetry from Endpoint Detection and Response (EDR) agents capturing detailed process execution logs. Given that attackers may utilize this command for reconnaissance before launching further attacks, its detection is critical for identifying potential unauthorized activities. The rule includes known false positives such as legitimate administrative troubleshooting but is otherwise rare in typical operational contexts.