Nltest Discovery Activities
Nltest Discovery
Query
let NLTestParameters = pack_array("dclist", "dcname", "dsgetdc", "dnsgetdc", "finduser", "domain_trusts", "dsquerydns");
let BinSize = 30m;
let Threshold = 3;
SecurityEvent
| where EventID == 4688
| where tolower(CommandLine) has "nltest.exe"
| extend ParsedCommandLine = tolower(parse_command_line(CommandLine, "windows")[1])
| where ParsedCommandLine has_any (NLTestParameters)
| summarize TotalQueries = count(), TotalUniqueQueries = dcount(CommandLine), Commands = make_set(CommandLine, 100) by Computer, Account, bin(TimeGenerated, BinSize)
| where TotalQueries >= ThresholdAbout this query
Nltest Discovery Activities
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1482 | Domain Trust Discovery | https://attack.mitre.org/techniques/T1482/ |
Description
The windows utility Nltest is known to be used by adversaries to enumerate domain trusts. This detection is based on Windows Security Event 4688 and triggers if more than 3 nltest queries are executed by a user on the same computer within 30 minutes. You can alter the variables yourself to tailor it to your environment.
In case you want to detect this behaviour with Defender For Endpoint, using the DeviceProcessEvents table, see: Nltest Discovery
Risk
Adverseries perform discovery activities on your network.
References
- https://attack.mitre.org/software/S0359/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
Sentinel
Explanation
This query is designed to detect potentially suspicious use of the nltest.exe utility on Windows systems, which adversaries might use to discover domain trust relationships within a network. Here's a simplified breakdown of what the query does:
-
Purpose: It aims to identify when a user executes more than three
nltestcommands on the same computer within a 30-minute window, which could indicate malicious activity. -
Technique: This activity is associated with the MITRE ATT&CK technique T1482, "Domain Trust Discovery."
-
Data Source: The query analyzes Windows Security Event logs, specifically looking at Event ID 4688, which logs process creation events.
-
Filtering:
- It filters events where the command line includes "nltest.exe".
- It further checks if the command line contains specific parameters related to domain trust discovery, such as "dclist", "dcname", "dsgetdc", etc.
-
Aggregation:
- It groups the data by computer, user account, and 30-minute time bins.
- It counts the total number of
nltestqueries and the number of unique queries executed.
-
Alert Condition:
- It triggers an alert if a user executes more than three
nltestcommands on the same computer within the specified time frame.
- It triggers an alert if a user executes more than three
This query helps security teams monitor and respond to potential reconnaissance activities by adversaries trying to map out domain trust relationships in a network.
