T1482: T1482

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/02/2019 17:15 · Modified 20/04/2026 18:53

Essential information

MITRE technique ID: T1482
Confidence: 100/100
Revoked: No
Published: 14/02/2019 17:15
Modified: 20/04/2026 18:53
Author / Source: The MITRE Corporation

Aliases

Domain Trust Discovery

Platforms

windows

Description

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

Microsoft Operation Wilysupply
Microsoft GetAllTrustRelationships
Microsoft Trusts
Harmj0y Domain Trusts
mitre-attack (T1482)
AdSecurity Forging Trust Tickets

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

Earth Estries related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Erudite Mogwai related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0163, Rhysida, Vanilla Tempest, TAG-124, ITG23 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lunar Spider related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Muddled Libra related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin related

Ransomware.Live Confidence 100

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
RansomHub related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0501 related

The MITRE Corporation Confidence 100

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA551 related GOLD CABINShathak

The MITRE Corporation Confidence 100

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UAT-8302 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5518 and UNC5774 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC961 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

25–36 of 39

PhantomHeart uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DUSTTRAP uses

Family
CloudSorcerer uses

Family
MISTCLOAK uses
Cloudflared uses

Family
Bumblebee - S1039 uses

Family
VBCloud uses

Family
Meterpreter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bumblebee uses
ShadyHammock uses

Family
PySoxy uses

Family
WINDYTWIST.SEA uses

Family

← Previous

Page / 7

49–60 of 78

Interlock and Rhysida within the Ransomware Ecosystem related

2 CVEs 22 MITREs 24 Malwares 102 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
Cloud Atlas activity in the second half of … related

3 CVEs 20 MITREs 8 Malwares 17 Observables 1 APT
ClickFix Evolves with PySoxy Proxying related

20 MITREs 1 Malware 2 Observables
Flash Alert: EtherRat and TukTuk C2 End in … related

AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
A Peek Into Muddled Libra's Operational Playbook related

25 MITREs 4 Observables 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
A New Threat Actor Targeting Geopolitical Hotbeds related

11 MITREs 2 Malwares 1 APT
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers … related

14 MITREs 1 Malware 1 APT

← Previous

Page / 3

1–12 of 30

Vulnerabilities (CVE) (21)

CVE-2024-50623 KEV targets

9.8 Critical

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …

Attack vector: Network
Published: 13/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-1675 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-41244 KEV targets

7.8 High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges …

Attack vector: Local
Published: 30/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2023-36036 KEV targets

7.8 High

Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.

Attack vector: Local
Published: 14/11/2023
Modified: 15/06/2026

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2025-68670 targets

9.1 Critical

xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper …

Attack vector: Network
Published: 27/01/2026
Modified: 25/05/2026

Received

← Previous

Page / 2

1–12 of 21

Audit mitigates

Tool (2)

PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…

Campaign (1)

SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use

T1482: T1482

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (78)

Reports (30)

Vulnerabilities (CVE) (21)

Course Of Action (1)

Tool (2)

Campaign (1)