title: Nltest Credential Hash Theft
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
description: Detects nltest query commands which may leak credential hashes
references:
    - https://twitter.com/sysopfb/status/986799053668139009
    - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml
date: 2018/04/18
modified: 2021/01/05
tags:
    - attack.credential_access
    - attack.t1003
status: experimental
author: Craig Young, oscd.community
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\nltest.exe'
        CommandLine|contains: '\query'
    condition: selection
falsepositives:
    - Legitimate administration
level: medium