T1482: T1482

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/02/2019 17:15 · Modified 20/04/2026 18:53

Essential information

MITRE technique ID: T1482
Confidence: 100/100
Revoked: No
Published: 14/02/2019 17:15
Modified: 20/04/2026 18:53
Author / Source: The MITRE Corporation

Aliases

Domain Trust Discovery

Platforms

windows

Description

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

Microsoft Operation Wilysupply
Microsoft GetAllTrustRelationships
Microsoft Trusts
Harmj0y Domain Trusts
mitre-attack (T1482)
AdSecurity Forging Trust Tickets

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (39)

UNC5537 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vice Society uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bumblebee uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
STAC5143, STAC5777 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework uses Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN8 uses Syssphinx

The MITRE Corporation Confidence 100

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA4557/FIN6 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Indrik Spider uses Manatee TempestDEV-0243

The MITRE Corporation Confidence 100

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-2697 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC4191 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 4

1–12 of 39

Tomb uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BADHATCH uses
TrojanSpy:MSIL/RacoonStealer uses

Family
Nodebot uses
DeedRAT uses

Family
PowerShower - S0441 uses

Family
Gootloader uses

Family
LuckyStrike Agent uses

Family
LockBit uses

Family
SharpHound uses

Family
EtherRAT uses

Family
XMRig uses

Family

← Previous

Page / 7

37–48 of 78

Interlock and Rhysida within the Ransomware Ecosystem related

2 CVEs 22 MITREs 24 Malwares 102 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
Cloud Atlas activity in the second half of … related

3 CVEs 20 MITREs 8 Malwares 17 Observables 1 APT
ClickFix Evolves with PySoxy Proxying related

20 MITREs 1 Malware 2 Observables
Flash Alert: EtherRat and TukTuk C2 End in … related

AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
A Peek Into Muddled Libra's Operational Playbook related

25 MITREs 4 Observables 1 APT
ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) related

15 MITREs
A New Threat Actor Targeting Geopolitical Hotbeds related

11 MITREs 2 Malwares 1 APT
Hide Your RDP: Password Spray Leads to RansomHub … related

25 MITREs 2 Malwares 9 Observables 1 APT
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers … related

14 MITREs 1 Malware 1 APT

← Previous

Page / 3

1–12 of 30

Vulnerabilities (CVE) (21)

CVE-2024-50623 KEV targets

9.8 Critical

Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead …

Attack vector: Network
Published: 13/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-1675 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-41244 KEV targets

7.8 High

Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability. A malicious local actor with non-administrative privileges …

Attack vector: Local
Published: 30/10/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2024-27199 KEV targets

7.3 High

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Attack vector: NETWORK
Complexity: LOW
Published: 04/03/2024
Modified: 22/04/2026

CWE-23 CWE-22

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2025-20333 KEV targets

9.9 Critical

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …

Attack vector: Network
Published: 25/09/2025
Modified: 21/12/2025

Analyzed

CVE-2023-36036 KEV targets

7.8 High

Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.

Attack vector: Local
Published: 14/11/2023
Modified: 15/06/2026

CVE-2024-27198 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.

Attack vector: Network
Published: 07/03/2024
Modified: 21/12/2025

CVE-2025-68670 targets

9.1 Critical

xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper …

Attack vector: Network
Published: 27/01/2026
Modified: 25/05/2026

Received

← Previous

Page / 2

1–12 of 21

Audit mitigates

Tool (2)

PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
BloodHound uses

The MITRE Corporation Confidence 100

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT…

Campaign (1)

SolarWinds Compromise uses

Contact About Legal notice Privacy policy Terms of use

T1482: T1482

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (39)

Malware (78)

Reports (30)

Vulnerabilities (CVE) (21)

Course Of Action (1)

Tool (2)

Campaign (1)