Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[1]
ID:S0359
ⓘ
Type: TOOL
ⓘ
Platforms: Windows
Version: 1.2
Created:14 February 2019
Last Modified:09 August 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1482 | Domain Trust Discovery | Nltest may be used to enumerate trusted domains by using commands such as | |
| Enterprise | T1018 | Remote System Discovery | Nltest may be used to enumerate remote domain controllers using options such as | |
| Enterprise | T1016 | System Network Configuration Discovery | Nltest may be used to enumerate the parent domain of a local machine using | |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | |
| G0061 | FIN8 | |
| G1006 | Earth Lusca | |
| G1017 | Volt Typhoon |
References
- ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
- Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
