MATCH-S00181.md

Rules: Windows - Domain Trust Discovery

Description

Suspicious Domain Trust Discovery Activity - T1482

Additional Details

Detail	Value
Type	Templated Match
Category	Discovery
Apply Risk to Entities	device_hostname, device_ip, user_username
Signal Name	Possible Domain Trust Discovery Activity From {{device_hostname}}
Summary Expression	Observed domain trust discovery activity on host: {{device_hostname}}
Score/Severity	Static: 1
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0007, _mitreAttackTechnique:T1482

Vendors and Products

• CrowdStrike - FDR
• CrowdStrike - Falcon
• Cylance - Protect
• Linux - Linux OS Syslog
• Microsoft - Azure
• Microsoft - Office 365
• Microsoft - Windows

Fields Used

Origin	Field
Normalized Schema	commandLine
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	listMatches
Normalized Schema	user_username