New

The executive guide to generative AI

Read more

Enumerating Domain Trusts via DSQUERY.EXE

edit

Enumerating Domain Trusts via DSQUERY.EXE

edit

Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*
  • endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery
  • Elastic Endgame

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
    (process.name : "dsquery.exe" or process.pe.original_file_name: "dsquery.exe") and
    process.args : "*objectClass=trustedDomain*"

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback