```yaml title: Domain Trust Enumeration via Nltest id: edr-win-disc-nltest-domain-trusts status: stable description: > Detects nltest.exe with /trusted_domains or /domain_trusts arguments. Used by operators to map domain trust relationships for lateral movement planning. Observed across Akira, Qilin, SocGholish, and Chaos intrusions. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a - https://blog.talosintelligence.com/new-chaos-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.discovery - attack.t1482 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\nltest.exe' CommandLine|contains: - '/trusted_domains' - '/domain_trusts' condition: selection falsepositives: - Domain trust auditing scripts run by IT level: high ```