S0359 Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1482	Domain Trust Discovery	Nltest may be used to enumerate trusted domains by using commands such as `nltest /domain_trusts`.¹²
enterprise	T1018	Remote System Discovery	Nltest may be used to enumerate remote domain controllers using options such as `/dclist` and `/dsgetdc`.¹
enterprise	T1016	System Network Configuration Discovery	Nltest may be used to enumerate the parent domain of a local machine using `/parentdomain`.¹

ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019. ↩↩↩↩
Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019. ↩
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. ↩
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. ↩
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩
The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. ↩
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. ↩
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. ↩
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩