nltest.exe
- File Path:
C:\Windows\SysWOW64\nltest.exe - Description: Microsoft Logon Server Test Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | F501EFB48F9A5B14626726FE29CD27F9 |
| SHA1 | 644B1958D82D5528C30FB1CD29EEBC9690E1FB6F |
| SHA256 | 67667BE06E369FD7B62328BFE70DE34C34B40C2FA5837A8D241D59B37822ECC1 |
| SHA384 | 7912B2A2EF70E914DAF038E4FB4E59AE9798CB628BA90B01E1EAB5CAD21D9936F801AB5D16C1C45F04A1029FF7221BF5 |
| SHA512 | DF4C285D58E65D5D7421C366A44CA26539F235C1029BBFC278D6C462C0DEBCB2A88E99D2708DA871B36A9FF9017DDB578788E7306500C6A4BC712CDCEECBE4FF |
| SSDEEP | 12288:y0RT1sBTBUg3UdrueO+XWO+ueO+ueOdN:y0RT23UdrueO+XWO+ueO+ueOdN |
| IMP | B327F2B9F5DCA387FF8B86B4D729F08B |
| PESHA1 | 5D6184EA7E2FD6E1EBD47A9419326F32DF3719A9 |
| PE256 | 0898DA16CAC8BB4CA59305414C2B4C0DAA738CE92A47CF5FDE3EFAFEF80F0A91 |
Runtime Data
Usage (stderr):
Usage: nltest [/OPTIONS]
/SERVER:<ServerName> - Specify <ServerName>
/QUERY - Query <ServerName> netlogon service
/REPL - Force partial sync on <ServerName> BDC
/SYNC - Force full sync on <ServerName> BDC
/PDC_REPL - Force UAS change message from <ServerName> PDC
/SC_QUERY:<DomainName> - Query secure channel for <Domain> on <ServerName>
/SC_RESET:<DomainName>[\<DcName>] - Reset secure channel for <Domain> on <ServerName> to <DcName>
/SC_VERIFY:<DomainName> - Verify secure channel for <Domain> on <ServerName>
/SC_CHANGE_PWD:<DomainName> - Change a secure channel password for <Domain> on <ServerName>
/DCLIST:<DomainName> - Get list of DC's for <DomainName>
/DCNAME:<DomainName> - Get the PDC name for <DomainName>
/DSGETDC:<DomainName> - Call DsGetDcName /PDC /DS /DSP /GC /KDC
/TIMESERV /GTIMESERV /WS /NETBIOS /DNS /IP /FORCE /WRITABLE /AVOIDSELF /LDAPONLY /BACKG /DS_6 /DS_8 /DS_9 /DS_10
/TRY_NEXT_CLOSEST_SITE /SITE:<SiteName> /ACCOUNT:<AccountName> /RET_DNS /RET_NETBIOS
/DNSGETDC:<DomainName> - Call DsGetDcOpen/Next/Close /PDC /GC
/KDC /WRITABLE /LDAPONLY /FORCE /SITESPEC
/DSGETFTI:<DomainName> - Call DsGetForestTrustInformation
/UPDATE_TDO
/DSGETSITE - Call DsGetSiteName
/DSGETSITECOV - Call DsGetDcSiteCoverage
/DSADDRESSTOSITE:[MachineName] - Call DsAddressToSiteNamesEx
/ADDRESSES:<Address1,Address2,...>
/PARENTDOMAIN - Get the name of the parent domain of this machine
/WHOWILL:<Domain>* <User> [<Iteration>] - See if <Domain> will log on <User>
/FINDUSER:<User> - See which trusted domain will log on <User>
/TRANSPORT_NOTIFY - Notify netlogon of new transport
/DBFLAG:<HexFlags> - New debug flag
/USER:<UserName> - Query User info on <ServerName>
/TIME:<Hex LSL> <Hex MSL> - Convert NT GMT time to ascii
/LOGON_QUERY - Query number of cumulative logon attempts
/DOMAIN_TRUSTS - Query domain trusts on <ServerName>
/PRIMARY /FOREST /DIRECT_OUT /DIRECT_IN /ALL_TRUSTS /V
/DSREGDNS - Force registration of all DC-specific DNS records
/DSDEREGDNS:<DnsHostName> - Deregister DC-specific DNS records for specified DC
/DOM:<DnsDomainName> /DOMGUID:<DomainGuid> /DSAGUID:<DsaGuid>
/DSQUERYDNS - Query the status of the last update for all DC-specific DNS records
/BDC_QUERY:<DomainName> - Query replication status of BDCs for <DomainName>
/LIST_DELTAS:<FileName> - display the content of given change log file
/CDIGEST:<Message> /DOMAIN:<DomainName> - Get client digest
/SDIGEST:<Message> /RID:<RID in hex> - Get server digest
/SHUTDOWN:<Reason> [<Seconds>] - Shutdown <ServerName> for <Reason>
/SHUTDOWN_ABORT - Abort a system shutdown
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: nltestrk.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: Unknown
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\nltest.exe | 72 |
| C:\Windows\SysWOW64\nltest.exe | 72 |
| C:\Windows\SysWOW64\nltest.exe | 54 |
Possible Misuse
The following table contains possible examples of nltest.exe being misused. While nltest.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_lolbas_execution_of_nltest.yml | title: Correct Execution of Nltest.exe |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts |
DRL 1.0 |
| sigma | win_lolbas_execution_of_nltest.yml | ProcessName\|endswith: nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_malware_trickbot_recon_activity.yml | - '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | title: Recon Activity with NLTEST |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | description: Detects nltest commands that can be used for information discovery |
DRL 1.0 |
| sigma | proc_creation_win_nltest_recon.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \nltest.exe |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. |
DRL 1.0 |
| sigma | proc_creation_win_trust_discovery.yml | Image\|endswith: '\nltest.exe' |
DRL 1.0 |
| LOLBAS | Nltest.yml | Name: Nltest.exe |
|
| LOLBAS | Nltest.yml | - Command: nltest.exe /SERVER:192.168.1.10 /QUERY |
|
| LOLBAS | Nltest.yml | - c:\windows\system32\nltest.exe |
|
| LOLBAS | Nltest.yml | - https://ss64.com/nt/nltest.html |
|
| atomic-red-team | index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Remote System Discovery - nltest [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | - Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | ## Atomic Test #3 - Remote System Discovery - nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | nltest.exe /dclist:#{target_domain} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | <blockquote>Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | - Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ## Atomic Test #2 - Windows - Discover domain trusts with nltest | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Uses the nltest command to discover domain trusts. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | nltest /domain_trusts | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | ##### Description: nltest.exe from RSAT must be present on disk | MIT License. © 2018 Red Canary |
| atomic-red-team | T1482.md | WHERE nltest.exe >NUL 2>&1 | MIT License. © 2018 Red Canary |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:%USERDOMAIN% |
Apache-2.0 |
| stockpile | 26c8b8b5-7b5b-4de1-a128-7d37fb14f517.yml | nltest /dsgetdc:$env:USERDOMAIN |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.