What is Domain Trust?
Domain trust refers to the relationship
established between two domains in a network, allowing users and resources in
one domain to access resources in another domain. This is a fundamental concept
in Windows Active Directory environments.
Types of Domain Trusts
- One-Way
Trust:
- Description:
Only one domain trusts the other. For example, Domain A trusts Domain B,
but Domain B does not trust Domain A.
- Usage:
Useful for scenarios where access needs to be restricted to one
direction.
- Two-Way
Trust:
- Description:
Both domains trust each other. Users and resources in both domains can
access each other.
- Usage:
Commonly used in environments where mutual access is required.
- Transitive
Trust:
- Description:
Trust relationships extend beyond the immediate domains. If Domain A
trusts Domain B, and Domain B trusts Domain C, then Domain A trusts
Domain C.
- Usage:
Simplifies trust management in complex environments.
- Non-Transitive
Trust:
- Description:
Trust relationships do not extend beyond the immediate domains. If Domain
A trusts Domain B, and Domain B trusts Domain C, Domain A does not trust
Domain C.
- Usage: Provides more control over trust relationships.
What is Domain Trust Discovery?
Domain trust discovery involves identifying and
understanding the trust relationships between different domains within a
network. In a Windows environment, domain trusts allow users in one domain to
access resources in another domain based on established trust relationships.
Why do Adversaries use domain trust discovery?
Lateral Movement: By discovering domain trusts, attackers
can identify which domains trust each other and exploit these relationships to
move from one domain to another.
Privilege Escalation: Attackers can use domain trust
information to find misconfigurations or vulnerabilities that allow them to
escalate their privileges.
Resource Access ( Access sensitive data and critical
systems): Understanding trust relationships helps attackers identify which
domains have access to valuable resources and how to exploit these trusts to
gain access.
Domain Trust Discovery Using NLtest
What is Nltest?
Nltest is Microsoft’s command line utility designed for network administrators to manage and troubleshoot various aspects of Windows domain environments like enumerating Domain Controllers (DCs) or determine the trust relationships between the domain.
Some common Functions of Nltest
1. Enumerating Domain Trust relationships
nltest /domain_trusts
This command will list all the domain trusts for the domain
where the command is executed. If you want to run this command on a remote
domain controller, you can specify the server name like this:
nltest /server:<servername> /domain_trusts
2. Enumerating All Trust Relationships
nltest /all_trusts
This command enumerates all trust relationships for the
domain where the command is executed as compared to only domain trust
relationships with /domain_trusts.
It provides detailed information about each trust, including
the type of trust, direction (inbound or outbound), and attributes.
3.
List Domain Controllers
nltest /dclist:<domain>
This command will provide a list of all domain controllers
in the specified domain, including their names and sites
4.
Identifying Trust Rtelationships
nltest /trusted_domains
This command is used to list all the trusted domains for the
domain where the command is executed. This command helps administrators
identify which domains have established trust relationships with the current
domain.
5. Replicate User Accounts
nltest /replicate:<domain>
This command is used to force the replication of
user-account databases between domain controllers in a Windows NT 4.0
environment. This command ensures that changes made to user accounts on one
domain controller are synchronized with other domain controllers in the
specified domain.
6. Checking the Secure Channel Status
A secure channel is a communication link established between
a computer and a domain controller in an Active Directory environment. This
channel is created by the NetLogon service and is essential for ensuring secure
and reliable communication for authentication and other domain-related
operations.
nltest /sc_query:<domain_name>
This command is used to query the status of the secure
channel between a computer and a domain controller.
7.
Forcing a Secure Channel Reset
An attacker might reset the secure channel for several
reasons, primarily to disrupt the normal operations of a domain and gain
unauthorized access.
nltest /sc_reset:<domain_name>
This command is used to reset the secure channel between a
computer and a domain controller. This can also be helpful if the secure
channel is broken or experiencing issues, which can lead to authentication
problems within the domain.
Real World Examples:
TrickBot: It is a notorious banking Trojan that has
evolved into a sophisticated malware platform.
TrickBot uses nltest.exe to gather domain trust information
for lateral movement. It uses commands like nltest /domain_trusts or nltest
/all_trusts to gather information about domain trust relationships. This helps
the malware understand the network topology and identify potential targets for
lateral movement.
FIN8: It is a financially motivated threat group.
They are known for targeting various sectors, including hospitality, retail,
entertainment, insurance, technology, chemical, and financial industrie
FIN8 has used nltest.exe /domain_trusts to retrieve a list
of trusted domains.
Empire: It is a post-exploitation framework.
Empire includes modules for enumerating domain trusts using various methods.
Other Techniques and Tools Used
- AdFind:
- Description:
A command-line Active Directory query tool.
- Usage:
Used to gather information about organizational units (OUs) and domain
trusts
- BloodHound:
- Description:
A tool that maps Active Directory relationships and permissions.
- Usage:
It can identify domain trusts and potential attack paths within the
network
- LDAP
Queries:
- Description:
Lightweight Directory Access Protocol (LDAP) queries can be used to
gather information from Active Directory.
- Usage:
Queries like (objectClass=trustedDomain) can be used to
enumerate trusted domains
- Post-Exploitation
Frameworks:
- Examples:
Tools like Empire, PowerSploit, and PoshC2.
- Usage: These frameworks have modules for domain trust discovery, often using Windows APIs or .NET methods to gather trust information.
Defenders
- What to look at?
Unusual Command-Line Arguments: Execution of
NLTest.exe with arguments like /domain_trusts, /all_trusts, /dclist:, or
/dsgetdc: can indicate reconnaissance activities. These commands are often used
by attackers to gather information about domain trust relationships and domain
controllers.
Unexpected Execution: NLTest.exe running on systems
where it is not typically used, especially on non-administrative systems, can
be a sign of malicious activity.
High Frequency of Execution: Multiple executions of NLTest.exe in a short period can indicate automated scripts or tools being used by attackers.
Detection
Technologies
Endpoint Detection and Response (EDR): EDR solutions
like CrowdStrike and Splunk can monitor process execution logs and command-line
arguments to detect suspicious use of NLTest.exe. Analysis should include
review of the complete process tree.
Windows Event Logs: Monitoring specific event IDs
(e.g., Sysmon EventID 1 for process creation) can help detect the execution of
NLTest.exe.
Security Information and Event Management (SIEM):
SIEM platforms like Splunk Enterprise Security can aggregate and analyze logs
from various sources to identify patterns indicative of NLTest.exe misuse.
This was all about the Domain Trust Discovery. If you like this article, don't forgot to share it with the community.
You can follow the author at LinkedIn - Here
Comments
Post a Comment