1. Home
  2. Software
  3. Nltest

Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[1]

ID: S0359
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 14 February 2019
Last Modified: 07 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1482 Domain Trust Discovery

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[1][2]
Enterprise T1018 Remote System Discovery

Nltest may be used to enumerate remote domain controllers using options such as /dclist and /dsgetdc.[1]
Enterprise T1016 System Network Configuration Discovery

Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.[1]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[3][4][5][6][7][8]
G0061 FIN8

[9]

References

  1. ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
  2. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
  3. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  4. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  5. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  1. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  2. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  3. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  4. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.