This detection rule is designed to identify potential reconnaissance activities conducted by adversaries in Windows environments, specifically targeting domain trust relationships. In multi-domain or forest scenarios, attackers may attempt to gather information on these trust relationships to uncover paths for lateral movement. The rule focuses on executions of domain trust discovery commands that can be executed via the command-line tool nltest.exe. It specifically looks for the usage of commands like '/domain_trusts' and '/trusted_domains' which can indicate that an adversary is probing the network for vulnerabilities by understanding the trust configurations between domains. Importantly, the rule is created to detect such actions regardless of whether the command-line tool has been renamed, acknowledging that attackers may employ obfuscation techniques to bypass detection. The detection utilizes Windows event logs and process command-line parameters, generating insights by correlating events such as process creation events to identify unauthorized domain trust discovery attempts. This proactive monitoring is crucial for post-compromise threat detection and response in corporate environments where multiple trusted domains exist.