DET0007 Detection of Domain Trust Discovery via API, Script, and CLI Enumeration

Item	Value
ID	DET0007
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1482 (Domain Trust Discovery)

Analytics

Windows

AN0016

Adversary uses nltest, PowerShell, or Win32/.NET API to enumerate domain trust relationships (via DSEnumerateDomainTrusts, GetAllTrustRelationships, or LDAP queries), followed by discovery or authentication staging.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Command Execution (DC0064)	WinEventLog:PowerShell	Get-ADTrust
Active Directory Object Access (DC0071)	WinEventLog:Security	EventCode=4662

Mutable Elements

Field	Description
ParentImage	Tune based on expected script hosts or authorized administrators invoking trust enumeration.
TimeWindow	Correlate enumeration + subsequent Kerberos activity or DC interaction within a bounded window.
UserContext	Prioritize detection for non-admin or unexpected user accounts performing enumeration.
API_Name	Flag uncommon or low-prevalence API calls like DSEnumerateDomainTrusts for inspection.