nltest.exe
- File Path:
C:\Windows\system32\nltest.exe - Description: Microsoft Logon Server Test Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | D0F2751CA874BAFDB8A263BB1D2D1F87 |
| SHA1 | 0D4290A96E7B6C4883787BA44739B45AA4B59903 |
| SHA256 | 4E8AA26AD71243D13F7EC156C31ACBF1A0F1041303570E4E5CB910CC6D990567 |
| SHA384 | 60DA2F7E80A483FC1A2885FF5DB73355C4F41F8ACDBAFBA2E25C21F1E49F30B51EC61DF4E94DB604135F9B08AB128B66 |
| SHA512 | 68F4C2EFE149D6363D8CC051DE2C916C93D2BF10501A7920BE6757E5FC40E0B0D37967C56693103EF99F93816E99E7603030833CB21F17B895581C457CD8CAA6 |
| SSDEEP | 3072:a7Y8UIPeSjSfCo5VMWT/zJeOdrRrSH1rTvEXiEvFxG+5wIoJTrZPOdUoSn4g0LGN:a7DnsCkxjVOiUoYSKfSBuxPIF4VVT |
| IMP | 97476B99B5801A0CF4E2172400A1BF78 |
| PESHA1 | 1426D90AB12E46A701109E49B703092318274333 |
| PE256 | 2E9B660EA7C8BF6067B2E3E02DF7546E45FE9CF20E17BBCB8385C22A76C280E7 |
Runtime Data
Usage (stderr):
Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force partial sync on <ServerName> BDC
/SYNC - Force full sync on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName>[\<DcName>] - Reset secure channel for <Domain> on <ServerName> to <DcName>
/SC_VERIFY:<DomainName> - Verify secure channel for <Domain> on <ServerName>
/SC_CHANGE_PWD:<DomainName> - Change a secure channel password for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DSGETDC:<DomainName> - Call DsGetDcName /PDC /DS /DSP /GC /KDC
/TIMESERV /GTIMESERV /WS /NETBIOS /DNS /IP /FORCE /WRITABLE /AVOIDSELF /LDAPONLY /BACKG /DS_6 /DS_8 /DS_9 /DS_10
/TRY_NEXT_CLOSEST_SITE /SITE:<SiteName> /ACCOUNT:<AccountName> /RET_DNS /RET_NETBIOS
/DNSGETDC:<DomainName> - Call DsGetDcOpen/Next/Close /PDC /GC
/KDC /WRITABLE /LDAPONLY /FORCE /SITESPEC
/DSGETFTI:<DomainName> - Call DsGetForestTrustInformation
/UPDATE_TDO
/DSGETSITE - Call DsGetSiteName
/DSGETSITECOV - Call DsGetDcSiteCoverage
/DSADDRESSTOSITE:[MachineName] - Call DsAddressToSiteNamesEx
/ADDRESSES:<Address1,Address2,...>
/PARENTDOMAIN - Get the name of the parent domain of this machine
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted domain will log on <User>
/TRANSPORT_NOTIFY - Notify netlogon of new transport
/DBFLAG:<HexFlags> - New debug flag
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ascii
/LOGON_QUERY - Query number of cumulative logon attempts
/DOMAIN_TRUSTS - Query domain trusts on <ServerName>
/PRIMARY /FOREST /DIRECT_OUT /DIRECT_IN /ALL_TRUSTS /V
/DSREGDNS - Force registration of all DC-specific DNS records
/DSDEREGDNS:<DnsHostName> - Deregister DC-specific DNS records for specified DC
/DOM:<DnsDomainName> /DOMGUID:<DomainGuid> /DSAGUID:<DsaGuid>
/DSQUERYDNS - Query the status of the last update for all DC-specific DNS records
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/LIST_DELTAS:<FileName> - display the content of given change log file
/CDIGEST:<Message> /DOMAIN:<DomainName> - Get client digest
/SDIGEST:<Message> /RID:<RID in hex> - Get server digest
/SHUTDOWN:<Reason> [<Seconds>] - Shutdown <ServerName> for <Reason>
/SHUTDOWN_ABORT - Abort a system shutdown
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: nltestrk.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/4e8aa26ad71243d13f7ec156c31acbf1a0f1041303570e4e5cb910cc6d990567/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\system32\nltest.exe | 80 |
| C:\Windows\system32\nltest.exe | 80 |
Possible Misuse
The following table contains possible examples of nltest.exe being misused. While nltest.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_lolbas_execution_of_nltest.yml | title: Correct Execution of Nltest.exe |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | ProcessName\|endswith: nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | title: Recon Activity with NLTEST |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | description: Detects nltest commands that can be used for information discovery |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| LOLBAS | Nltest.yml | Name: Nltest.exe |
|
| LOLBAS | Nltest.yml | - Command: nltest.exe /SERVER:192.168.1.10 /QUERY |
|
| LOLBAS | Nltest.yml | - c:\windows\system32\nltest.exe |
|
| LOLBAS | Nltest.yml | - https://ss64.com/nt/nltest.html |
|
| atomic-red-team | index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | - Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | ## Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | nltest.exe /dclist:#{target_domain} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | - Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ## Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Uses the nltest command to discover domain trusts. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ##### Description: nltest.exe from RSAT must be present on disk | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | WHERE nltest.exe >NUL 2>&1 | MIT License. © 2018 Red Canary |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:%USERDOMAIN% |
Apache-2.0 |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:$env:USERDOMAIN |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.