title: Potential Recon Activity Via Nltest.EXE id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 related: - id: 410ad193-a728-4107-bc79-4419789fcbf8 type: similar - id: 903076ff-f442-475a-b667-4f246bcc203b type: similar - id: 77815820-246c-47b8-9741-e0def3f57308 type: obsolete status: test description: Detects nltest commands that can be used for information discovery references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest author: Craig Young, oscd.community, Georg Lauenstein date: 2021-07-24 modified: 2023-12-15 tags: - attack.discovery - attack.t1016 - attack.t1482 logsource: category: process_creation product: windows detection: selection_nltest: - Image|endswith: '\nltest.exe' - OriginalFileName: 'nltestrk.exe' selection_recon: - CommandLine|contains|all: - 'server' - 'query' - CommandLine|contains: - '/user' - 'all_trusts' # Flag for /domain_trusts - 'dclist:' - 'dnsgetdc:' - 'domain_trusts' - 'dsgetdc:' - 'parentdomain' - 'trusted_domains' condition: all of selection_* falsepositives: - Legitimate administration use but user and host must be investigated level: medium