From 92b72ffdc19128d876f178fd3e660cdd93e27215 Mon Sep 17 00:00:00 2001
From: gs3cl <89155053+gs3cl@users.noreply.github.com>
Date: Wed, 18 Aug 2021 20:45:18 +0000
Subject: [PATCH] Update win_nltest_query.yml

modification based on new reports

1.https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
-> for (selection_recon1 and seletion_recon2")
2.https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters -> nltest example
3.MITRE reference just for reference to MITRE to gain more insights
4.https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
-> new Report about Trickbot with reference and usage of "nltest" therefore I included the option in this rule
---
 .../process_creation/win_nltest_query.yml     | 51 ++++++++++++-------
 1 file changed, 34 insertions(+), 17 deletions(-)

diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml
index b42648cc4..2a095dbab 100644
--- a/rules/windows/process_creation/win_nltest_query.yml
+++ b/rules/windows/process_creation/win_nltest_query.yml
@@ -1,24 +1,41 @@
-title: Nltest Credential Hash Theft
-id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
-description: Detects nltest query commands which may leak credential hashes
+title: Nltest Usage
+description: Detects nltest commands that can be used for information discovery
 references:
-    - https://twitter.com/sysopfb/status/986799053668139009
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
-date: 2018/04/18
-modified: 2021/01/05
-tags:
-    - attack.credential_access
-    - attack.t1003
+- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
+- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
+- https://attack.mitre.org/techniques/T1482/
+- https://attack.mitre.org/techniques/T1016/
+- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
 status: experimental
-author: Craig Young, oscd.community
+author: Craig Young, oscd.community, Georg Lauenstein
+date: 2021/07/24
+modified: 2021/08/17
+tags:
+  - attack.discovery
+  - attack.T1016
+  - attack.T1482
 logsource:
-    category: process_creation
-    product: windows
+  category: process_creation
+  product: windows
 detection:
-    selection:
+    selection_nltest:
         Image|endswith: '\nltest.exe'
-        CommandLine|contains: '\query'
-    condition: selection
+    selection_recon1:
+        CommandLine|contains|all:
+            - '/server'
+            - '/query'
+    selection_recon2:
+        CommandLine|startswith:
+            - '/dclist:'
+            - '/parentdomain'
+            - '/domain_trusts'
+            - '/user'
+    condition: selection_nltest AND (selection_recon1 OR selection_recon2)
 falsepositives:
-    - Legitimate administration
+    - To be determined
 level: medium
+fields:
+    - Image
+    - User
+    - CommandLine
+    - ParentCommandLine