Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ENUMERATION

Domain Trusts

This note documents detection patterns related to Domain Trust Enumeration within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security4662Directory object accessedHighLDAP queries retrieving trust relationship objects.
Security4624Successful logonMediumAuthentication used during enumeration.
Security4648Explicit credentials usedHighTools authenticating with alternate credentials.
Sysmon1Process creationHighExecution of enumeration tools.
Sysmon3Network connectionMediumLDAP queries to domain controllers.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
LDAP queries for trust objectsQueries against trustedDomain objectsHighIndicates trust enumeration.
Enumeration tools executionPowerView or nltest usageHighDirect discovery activity.
Multiple domain controller queriesRepeated LDAP requestsMediumAutomated enumeration behavior.

Common Tools

ToolUsage
PowerViewEnumerates domain trust relationships.
nltestNative tool for listing domain trusts.
SharpHoundCollects trust relationship data.
BloodHound.pyEnumerates trust data from Linux.

Relevant Artifacts

  • Security logs (4662, 4624, 4648)
  • LDAP query telemetry
  • Sysmon process logs
  • EDR telemetry
  • Network logs to domain controllers

MITRE ATT&CK References

  • T1482 Domain Trust Discovery

Decision Tree

  1. Detect enumeration-related process execution.
  2. Identify querying host.
  3. Inspect LDAP query types.
  4. Determine authenticated account.
  5. Identify scope of trust relationships discovered.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4662

EQL

any where event.code == "4662"

Sigma

title: Domain Trust Enumeration
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
  condition: selection
level: medium

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
MonitoringAlert on trust enumeration commandsMediumIdentifies reconnaissance.
Audit loggingEnable directory access auditingHighImproves visibility.
Least privilegeLimit domain query capabilitiesLowEnumeration often allowed.