nltest.exe
- File Path:
C:\WINDOWS\system32\nltest.exe - Description: Microsoft Logon Server Test Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 00D18272D5DAB3F31863D2E897664B56 |
| SHA1 | 76889E80EA82CD81686930EFF2E8CE82384D44FF |
| SHA256 | F40C2711925DF928FCC3CCE781296922741B3B585B71E41FC9FAA4404BD3C5E7 |
| SHA384 | 2228F8FD7C535BB91135548A89F54F6D25A88EC1C3A9151974DE908FA4A6959DC12471A922408EFF42EB066817A25FED |
| SHA512 | 3DE71D8E118C624EC686994876B5E0F807176B71114E85BBB63C31E967B68CE5C5559F09EB77BC1E26E9DAFBD753B8BB3383BED84178E28A5BCE4C2A8B8DD72D |
| SSDEEP | 3072:jMGbAr9gCQAVMWT/3Jemfd3CrSV1hTv6CXiE5OxG+5wkoJTrZxOgUoSZKg0LVSGD:jvbAfnIxjZO9UoiohJKi6KFC57BQ |
| IMP | 97476B99B5801A0CF4E2172400A1BF78 |
| PESHA1 | B8C09D702738163A3DEA18481A015DA124091284 |
| PE256 | A3803A9BB71C48DD8FA227354AEBE18E2780C627E2A664FB044870CF0E4169E5 |
Runtime Data
Usage (stderr):
Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force partial sync on <ServerName> BDC
/SYNC - Force full sync on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName>[\<DcName>] - Reset secure channel for <Domain> on <ServerName> to <DcName>
/SC_VERIFY:<DomainName> - Verify secure channel for <Domain> on <ServerName>
/SC_CHANGE_PWD:<DomainName> - Change a secure channel password for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DSGETDC:<DomainName> - Call DsGetDcName /PDC /DS /DSP /GC /KDC
/TIMESERV /GTIMESERV /WS /NETBIOS /DNS /IP /FORCE /WRITABLE /AVOIDSELF /LDAPONLY /BACKG /DS_6 /DS_8 /DS_9 /DS_10
/KEYLIST /TRY_NEXT_CLOSEST_SITE /SITE:<SiteName> /ACCOUNT:<AccountName> /RET_DNS /RET_NETBIOS
/DNSGETDC:<DomainName> - Call DsGetDcOpen/Next/Close /PDC /GC
/KDC /WRITABLE /LDAPONLY /FORCE /SITESPEC
/DSGETFTI:<DomainName> - Call DsGetForestTrustInformation
/UPDATE_TDO
/DSGETSITE - Call DsGetSiteName
/DSGETSITECOV - Call DsGetDcSiteCoverage
/DSADDRESSTOSITE:[MachineName] - Call DsAddressToSiteNamesEx
/ADDRESSES:<Address1,Address2,...>
/PARENTDOMAIN - Get the name of the parent domain of this machine
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted domain will log on <User>
/TRANSPORT_NOTIFY - Notify netlogon of new transport
/DBFLAG:<HexFlags> - New debug flag
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ascii
/LOGON_QUERY - Query number of cumulative logon attempts
/DOMAIN_TRUSTS - Query domain trusts on <ServerName>
/PRIMARY /FOREST /DIRECT_OUT /DIRECT_IN /ALL_TRUSTS /V
/DSREGDNS - Force registration of all DC-specific DNS records
/DSDEREGDNS:<DnsHostName> - Deregister DC-specific DNS records for specified DC
/DOM:<DnsDomainName> /DOMGUID:<DomainGuid> /DSAGUID:<DsaGuid>
/DSQUERYDNS - Query the status of the last update for all DC-specific DNS records
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/LIST_DELTAS:<FileName> - display the content of given change log file
/CDIGEST:<Message> /DOMAIN:<DomainName> - Get client digest
/SDIGEST:<Message> /RID:<RID in hex> - Get server digest
/SHUTDOWN:<Reason> [<Seconds>] - Shutdown <ServerName> for <Reason>
/SHUTDOWN_ABORT - Abort a system shutdown
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\system32\nltest.exe |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: nltestrk.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: Unknown
Possible Misuse
The following table contains possible examples of nltest.exe being misused. While nltest.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_lolbas_execution_of_nltest.yml | title: Correct Execution of Nltest.exe |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | ProcessName\|endswith: nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | title: Recon Activity with NLTEST |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | description: Detects nltest commands that can be used for information discovery |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| LOLBAS | Nltest.yml | Name: Nltest.exe |
|
| LOLBAS | Nltest.yml | - Command: nltest.exe /SERVER:192.168.1.10 /QUERY |
|
| LOLBAS | Nltest.yml | - c:\windows\system32\nltest.exe |
|
| LOLBAS | Nltest.yml | - https://ss64.com/nt/nltest.html |
|
| atomic-red-team | index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | - Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | ## Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | nltest.exe /dclist:#{target_domain} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | - Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ## Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Uses the nltest command to discover domain trusts. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ##### Description: nltest.exe from RSAT must be present on disk | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | WHERE nltest.exe >NUL 2>&1 | MIT License. © 2018 Red Canary |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:%USERDOMAIN% |
Apache-2.0 |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:$env:USERDOMAIN |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.