Skip to content

S0359 Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.1

Item Value
ID S0359
Associated Names
Type TOOL
Version 1.3
Created 14 February 2019
Last Modified 25 September 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1482 Domain Trust Discovery Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.12
enterprise T1018 Remote System Discovery Nltest may be used to enumerate remote domain controllers using options such as /dclist and /dsgetdc.1
enterprise T1016 System Network Configuration Discovery Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.1

Groups That Use This Software

ID Name References
G1040 Play 3
G0102 Wizard Spider 51089647
G1032 INC Ransom 11
G1053 Storm-0501 Storm-0501 has used Windows native utility Nltest, e.g. nltest.exe, for discovery.12
G0061 FIN8 13
G1006 Earth Lusca 14
G1017 Volt Typhoon 1615

References

  1. ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019. 

  2. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019. 

  3. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. 

  4. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  5. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  6. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  7. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. 

  8. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  9. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  10. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  11. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. 

  12. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. 

  13. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  14. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  15. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  16. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.