Detectionmediumtest

Domain Trust Discovery Via Dsquery

Detects execution of "dsquery.exe" for domain trust discovery

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

E.M. Anhaus, Tony Lambert, oscd.community, omkar72Created Thu Oct 24Updated Thu Feb 023bad990e-4848-4a78-9530-b427d854aac0windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\dsquery.exe'
        - OriginalFileName: 'dsquery.exe'
    selection_cli:
        CommandLine|contains: 'trustedDomain'
    condition: all of selection_*

False Positives

Legitimate use of the utilities by legitimate user for legitimate reason

References

Testing & Validation

Simulations

atomic-red-teamT1482

View on ART

Windows - Discover domain trusts with dsquery

GUID: 4700a710-c821-4e17-a3ec-9e4c81d6845f

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1482 · Domain Trust Discovery

Related Rules

Similar

b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b

Rule not found

Similar

77815820-246c-47b8-9741-e0def3f57308

Rule not found

Rule Metadata

Rule ID

3bad990e-4848-4a78-9530-b427d854aac0

Status

test

Level

medium

Type

Detection

Created

Thu Oct 24

Modified

Thu Feb 02

Author

E.M. Anhaus, Tony Lambert, oscd.community, omkar72

Path

rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml

Raw Tags

attack.discoveryattack.t1482

View on GitHub