T1482 — Domain Trust Discovery

Technique

T1482

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

2

Community rules

17

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1482

MITRE description

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-22952
• CVE-2022-41082

Detection coverage

SigmaHQ community rules

• Potential Active Directory Reconnaissance/Enumeration Via LDAP (core)
• DNS Server Discovery Via LDAP Query (core)
• BloodHound Collection Files (core)
• ADExplorer Writing Complete AD Snapshot Into .dat File (core)
• Malicious PowerShell Commandlets - PoshModule (core)
• Malicious PowerShell Commandlets - ScriptBlock (core)
• Domain Trust Discovery Via Dsquery (core)
• HackTool - Bloodhound/Sharphound Execution (core)
• HackTool - SharpView Execution (core)
• HackTool - TruffleSnout Execution (core)
• Nltest.EXE Execution (core)
• Potential Recon Activity Via Nltest.EXE (core)
• Malicious PowerShell Commandlets - ProcessCreation (core)
• PUA - AdFind Suspicious Execution (core)
• Renamed AdFind Execution (core)
• Active Directory Database Snapshot Via ADExplorer (core)
• Suspicious Active Directory Database Snapshot Via ADExplorer (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.