KQL Search

Query Details

HomeAI ToolsDevice Query

Nltest Discovery

Query

# Nltest Discovery Activities

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1482 | Domain Trust Discovery | https://attack.mitre.org/techniques/T1482/ |

#### Description
The windows utility Nltest is known to be used by adversaries to enumerate domain trusts. This detection is based on Windows Security Event 4688 and triggers if more than 3 nltest queries are executed by a user on the same computer within 30 minutes. You can alter the variables yourself to tailor it to your environment.

#### Risk
Adverseries perform discovery activities on your network.

#### References
- https://attack.mitre.org/software/S0359/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)

## Sentinel
```KQL
let NLTestParameters = pack_array("dclist", "dcname", "dsgetdc", "dnsgetdc", "finduser", "domain_trusts", "dsquerydns");
let BinSize = 30m;
let Threshold = 3;
SecurityEvent
| where EventID == 4688
| where tolower(CommandLine) has "nltest.exe"
| extend ParsedCommandLine = tolower(parse_command_line(CommandLine, "windows")[1])
| where ParsedCommandLine has_any (NLTestParameters)
| summarize TotalQueries = count(), TotalUniqueQueries = dcount(CommandLine), Commands = make_set(CommandLine, 100) by Computer, Account, bin(TimeGenerated, BinSize)
| where TotalQueries >= Threshold
```

Explanation

This query is designed to detect suspicious use of the nltest utility, which adversaries might use to discover domain trusts within a network. Here's a simplified breakdown:

  1. Purpose: Identify if a user runs nltest commands excessively (more than 3 times) on the same computer within a 30-minute window.
  2. Technique: This activity is associated with the MITRE ATT&CK technique T1482 (Domain Trust Discovery).
  3. Data Source: The query analyzes Windows Security Event 4688 logs.
  4. Key Parameters:
    • NLTestParameters: Specific nltest commands that are of interest (e.g., dclist, dcname).
    • BinSize: Time window of 30 minutes.
    • Threshold: Trigger alert if more than 3 nltest commands are executed.
  5. Process:
    • Filter events where the command line contains nltest.exe.
    • Check if the command line includes any of the specified nltest parameters.
    • Count the number of nltest queries executed by each user on each computer within the 30-minute window.
    • Trigger an alert if the count exceeds the threshold of 3. In summary, this query helps detect potential reconnaissance activities by monitoring for frequent use of nltest commands, which could indicate an adversary trying to gather information about domain trusts in your network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: August 27, 2024

Tables

SecurityEvent

Keywords

SecurityEvents

Operators

letpack_arraysummarizecountdcountmake_setbybinwheretolowerhasextendparse_command_linehas_any

Actions