nltest.exe
- File Path:
C:\Windows\SysWOW64\nltest.exe
- Description: Microsoft Logon Server Test Utility
Hashes
Type | Hash |
---|---|
MD5 | 13CD652E2687C1B24DADC5FD219B0084 |
SHA1 | 7231A47E52C2603FD76440D9D0241A3AFCC3948B |
SHA256 | 246AABCEFCF3D661D6966FCBF09E70D6F0862AA51B696990331D073A3693F5F6 |
SHA384 | AEE5A614C54B3FBA67A03DB82045945583A3DF22FCEAB4FAD5BB37703974A639254A68678CEEB0D1C6FB03408E3CE383 |
SHA512 | AADCCE5B09803FCB1D8FE77B46B7E961277B708E9EB6F911917ACC9FA85AC3B5D691E116F3EC48DF87B18E6FD39CCD187EB6E2DB40299BC85D6A0D8762C742A1 |
SSDEEP | 12288:w1RT1sgeJ+VkOnALfueO+/WO+ueO+ueOdN:w1RT9ALfueO+/WO+ueO+ueOdN |
Runtime Data
Usage (stderr):
Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force partial sync on <ServerName> BDC
/SYNC - Force full sync on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName>[\<DcName>] - Reset secure channel for <Domain> on <ServerName> to <DcName>
/SC_VERIFY:<DomainName> - Verify secure channel for <Domain> on <ServerName>
/SC_CHANGE_PWD:<DomainName> - Change a secure channel password for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DSGETDC:<DomainName> - Call DsGetDcName /PDC /DS /DSP /GC /KDC
/TIMESERV /GTIMESERV /WS /NETBIOS /DNS /IP /FORCE /WRITABLE /AVOIDSELF /LDAPONLY /BACKG /DS_6 /DS_8 /DS_9 /DS_10
/TRY_NEXT_CLOSEST_SITE /SITE:<SiteName> /ACCOUNT:<AccountName> /RET_DNS /RET_NETBIOS
/DNSGETDC:<DomainName> - Call DsGetDcOpen/Next/Close /PDC /GC
/KDC /WRITABLE /LDAPONLY /FORCE /SITESPEC
/DSGETFTI:<DomainName> - Call DsGetForestTrustInformation
/UPDATE_TDO
/DSGETSITE - Call DsGetSiteName
/DSGETSITECOV - Call DsGetDcSiteCoverage
/DSADDRESSTOSITE:[MachineName] - Call DsAddressToSiteNamesEx
/ADDRESSES:<Address1,Address2,...>
/PARENTDOMAIN - Get the name of the parent domain of this machine
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted domain will log on <User>
/TRANSPORT_NOTIFY - Notify netlogon of new transport
/DBFLAG:<HexFlags> - New debug flag
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ascii
/LOGON_QUERY - Query number of cumulative logon attempts
/DOMAIN_TRUSTS - Query domain trusts on <ServerName>
/PRIMARY /FOREST /DIRECT_OUT /DIRECT_IN /ALL_TRUSTS /V
/DSREGDNS - Force registration of all DC-specific DNS records
/DSDEREGDNS:<DnsHostName> - Deregister DC-specific DNS records for specified DC
/DOM:<DnsDomainName> /DOMGUID:<DomainGuid> /DSAGUID:<DsaGuid>
/DSQUERYDNS - Query the status of the last update for all DC-specific DNS records
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/LIST_DELTAS:<FileName> - display the content of given change log file
/CDIGEST:<Message> /DOMAIN:<DomainName> - Get client digest
/SDIGEST:<Message> /RID:<RID in hex> - Get server digest
/SHUTDOWN:<Reason> [<Seconds>] - Shutdown <ServerName> for <Reason>
/SHUTDOWN_ABORT - Abort a system shutdown
Loaded Modules:
Path |
---|
C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: nltestrk.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
File | Score |
---|---|
C:\Windows\SysWOW64\nltest.exe | 74 |
C:\Windows\SysWOW64\nltest.exe | 55 |
C:\Windows\SysWOW64\nltest.exe | 72 |
Possible Misuse
The following table contains possible examples of nltest.exe
being misused. While nltest.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | win_lolbas_execution_of_nltest.yml | title: Correct Execution of Nltest.exe |
DRL 1.0 |
sigma | win_lolbas_execution_of_nltest.yml | description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
DRL 1.0 |
sigma | win_lolbas_execution_of_nltest.yml | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
DRL 1.0 |
sigma | win_lolbas_execution_of_nltest.yml | - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts |
DRL 1.0 |
sigma | win_lolbas_execution_of_nltest.yml | ProcessName\|endswith: nltest.exe |
DRL 1.0 |
sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\nltest.exe' |
DRL 1.0 |
sigma | proc_creation_win_nltest_recon.yml | title: Recon Activity with NLTEST |
DRL 1.0 |
sigma | proc_creation_win_nltest_recon.yml | description: Detects nltest commands that can be used for information discovery |
DRL 1.0 |
sigma | proc_creation_win_nltest_recon.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \nltest.exe |
DRL 1.0 |
sigma | proc_creation_win_trust_discovery.yml | description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
DRL 1.0 |
sigma | proc_creation_win_trust_discovery.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
LOLBAS | Nltest.yml | Name: Nltest.exe |
|
LOLBAS | Nltest.yml | - Command: nltest.exe /SERVER:192.168.1.10 /QUERY |
|
LOLBAS | Nltest.yml | - c:\windows\system32\nltest.exe |
|
LOLBAS | Nltest.yml | - https://ss64.com/nt/nltest.html |
|
atomic-red-team | index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all , net config workstation , net view /all /domain , nltest /domain_trusts . Output will be via stdout. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | - Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | ## Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | nltest.exe /dclist:#{target_domain} | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> |
MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | - Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | ## Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | Uses the nltest command to discover domain trusts. | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | ##### Description: nltest.exe from RSAT must be present on disk | MIT License. © 2018 Red Canary |
atomic-red-team | T1482.md | WHERE nltest.exe >NUL 2>&1 | MIT License. © 2018 Red Canary |
stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:%USERDOMAIN% |
Apache-2.0 |
stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:$env:USERDOMAIN |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.