⚠️ Overview

Nltest (Netlogon Test) is a legitimate Microsoft Windows command-line utility introduced in Windows 2000, but it has been extensively weaponized by threat actors as a Living-Off-the-Land (LOLBin) post-exploitation reconnaissance tool. First publicly observed in malicious contexts during the 2016 Democratic National Committee breach attributed to APT29 (Cozy Bear), it falls under the category of dual-use tools utilized for domain enumeration and lateral movement preparation. No dedicated threat group operates Nltest; it is a native binary abused by numerous adversaries including ransomware affiliates, state-sponsored actors, and cybercriminal groups.

🔧 Technical Capabilities

Nltest uses standard Windows API calls such as DsGetDcName and DsEnumerateDomainTrusts to query Active Directory domain controllers, enumerate trust relationships, verify secure channel status, and retrieve Kerberos tickets. It does not possess its own command-and-control (C2) infrastructure; instead, attackers execute it interactively via remote shells (e.g., PsExec, WinRM) or within scripts deployed through initial access vectors like phishing or vulnerability exploitation. Persistence is not inherent—Nltest is typically used as a one-off reconnaissance tool before deploying the actual payload. Evasion is achieved through Microsoft’s digital signature, allowing it to bypass application whitelisting and endpoint detection rules that trust signed Microsoft binaries. Attackers commonly pass arguments such as /domain_trusts, /dcname:target, and /dsgetdc to map network topology, while /server and /query flags help identify domain controllers and trust directions.

📜 History & Notable Incidents

Nltest was first weaponized in the 2016 APT29 campaign against the Democratic National Committee (DNC), as documented by cybersecurity firm CrowdStrike, where it was used to enumerate domain trusts. In the 2020 SolarWinds supply chain attack, attackers employed Nltest to discover domain relationships before deploying TEARDROP and RAINDROP malware (FireEye, 2020). The Ryuk ransomware group (2019) and Conti ransomware (2021) also relied on Nltest to map trust paths for lateral movement (CISA Alert AA20-302A, 2020). No CVEs are associated with the binary itself because it is a legitimate tool; however, the technique is mapped to MITRE ATT&CK T1087.002 (Account Discovery: Domain Account) and T1018 (Remote System Discovery).

🔍 Detection Indicators

Behavioral indicators include process creation events (Sysmon Event ID 1) showing nltest.exe executing with arguments containing /domain_trusts or /dsgetdc from unusual parent processes (e.g., wscript.exe, powershell.exe). Network IOCs are rare; instead, look for DNS queries for _ldap._tcp.dc._msdcs.<domain> that precede Nltest execution. Legitimate Nltest file hashes vary by OS version; Microsoft provides SHA1 for each build. Registry keys or mutex names are not specific to Nltest abuse. User-Agent strings are not relevant as it runs locally. Detection rules (e.g., Sigma rule proc_creation_win_nltest_trust_query) can alert on command-line patterns.

☠️ Risk & Impact

Nltest itself does not cause data exfiltration or encryption but enables attackers to map trust relationships, leading to lateral movement and privilege escalation. In the SolarWinds incident, Nltest reconnaissance contributed to the compromise of multiple U.S. government agencies and Fortune 500 companies, with financial losses exceeding $100 million. The tool is heavily used in ransomware campaigns; for example, Ryuk’s use of Nltest to find trust paths allowed encryption of 200+ organizations in 2019–2020 (CISA/MS-ISAC). Impact is multiplied when used against federated or multi-domain environments.

🛡️ Mitigation

Restrict execution of nltest.exe to administrative users only via Software Restriction Policies or AppLocker. Deploy Sysmon to log command-line arguments and alert on anomalous invocations from non-interactive processes (e.g., scheduled tasks, remote shells). Enable Windows Event Logs (Event ID 4662) for Active Directory access and monitor for unusual trust enumeration patterns. Use Sigma rules and MITRE ATT&CK mappings (T1087.002) for SIEM correlation, and apply the principle of least privilege to domain accounts to limit the value of reconnaissance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.