nltest.exe
- File Path:
C:\windows\system32\nltest.exe - Description: Microsoft Logon Server Test Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | EC65707D486B2B2B1E673465EE688921 |
| SHA1 | 8BFE6AA98F49976AAADFBE4F25820F0C1EB0D8A9 |
| SHA256 | 03AD844D4FB53D807E2D440A088E77FF3329F8817565CF097D06AC269E711BFF |
| SHA384 | 019D3650407EC70D6C1CBEF33D1B8A94446C69C2E8F2F0FC1351312209A6A582D7B6D250BB28947561D9DF8AA7DC14D8 |
| SHA512 | 46D38B67548BC82DBFF77EB9E7CCACF335E8031EE0575D23BD7025B150987C820670B901494F611ACEDA1370CC4D1BAC478BC3DB4CB367A79CD1CDBBB33F06DF |
| SSDEEP | 3072:NacVMWT/DOsy5mR5Sw1sTwtXiEy2xL+5oIoJTxOXUWShgML2N09WEfgdOcQWIQPP:s9mxC17UW662ZFQ+Mv/9Zsd+rYjKZ |
Signature
- Status: The file C:\windows\system32\nltest.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: nltestrk.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of nltest.exe being misused. While nltest.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_lolbas_execution_of_nltest.yml | title: Correct Execution of Nltest.exe |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | ProcessName\|endswith: nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | title: Recon Activity with NLTEST |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | description: Detects nltest commands that can be used for information discovery |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| LOLBAS | Nltest.yml | Name: Nltest.exe |
|
| LOLBAS | Nltest.yml | - Command: nltest.exe /SERVER:192.168.1.10 /QUERY |
|
| LOLBAS | Nltest.yml | - c:\windows\system32\nltest.exe |
|
| LOLBAS | Nltest.yml | - https://ss64.com/nt/nltest.html |
|
| atomic-red-team | index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | - Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | ## Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | nltest.exe /dclist:#{target_domain} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | - Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ## Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Uses the nltest command to discover domain trusts. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ##### Description: nltest.exe from RSAT must be present on disk | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | WHERE nltest.exe >NUL 2>&1 | MIT License. © 2018 Red Canary |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:%USERDOMAIN% |
Apache-2.0 |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:$env:USERDOMAIN |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.