Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1259: Analytic 1259

Adversary modifies Active Directory domain trust settings via `netdom`, `nltest`, or PowerShell to add new domain trust or alter federation. Modifications occur in AD object attributes like trustDirection, trustType, trustAttributes, often paired with SeEnableDelegationPrivilege or certificate injection.

EnterpriseAN1259AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns unauthorized or suspicious changes to Active Directory domain trust settings on Windows. For leaders, the risk is not the command syntax itself; it is that trust changes can alter who is allowed to authenticate across domains or federated boundaries. If these changes are not tightly governed and monitored, an identity incident can become a broader business-continuity issue because access paths may expand beyond the originally affected domain.

Executive priority

Prioritize this as an identity-governance and incident-readiness control point. Security leaders should be able to answer: who is authorized to create or modify domain trusts, how those changes are approved, whether the SOC can see them, and how incident responders would validate or roll back an unauthorized trust modification. This also supports compliance evidence around privileged access management and change control for critical directory infrastructure.

Technical view

The supplied ATT&CK object describes adversary modification of Active Directory domain trust settings using netdom, nltest, or PowerShell, with changes reflected in AD attributes such as trustDirection, trustType, and trustAttributes. SOC and detection teams should validate visibility into both command execution on Windows systems and directory-level object attribute changes. Because no official detection logic is provided, teams should build or review detections around unauthorized trust creation or modification, especially when paired with privileged actions such as use of SeEnableDelegationPrivilege or certificate-related changes noted in the description.

Likely telemetry

  • Windows process execution telemetry for netdom, nltest, and PowerShell activity
  • Active Directory directory service change events for trust object attributes such as trustDirection, trustType, and trustAttributes
  • Privileged account activity and administrative session records associated with domain trust administration
  • Privilege assignment or use evidence involving SeEnableDelegationPrivilege where available
  • Certificate-related change telemetry where certificate injection or related directory changes are monitored

Detection direction

  • Baseline legitimate domain trust and federation administration activity so alerts can distinguish approved infrastructure changes from unexpected modifications.
  • Alert on creation or modification of AD trust attributes when performed by unusual accounts, from unusual hosts, or outside approved maintenance windows.
  • Correlate command execution involving netdom, nltest, or PowerShell with directory service changes to reduce false positives from benign administrative discovery or troubleshooting.
  • Review blind spots where endpoint telemetry exists but AD object attribute auditing is incomplete, or where directory changes are logged but not correlated to the initiating user and host.
  • Because ATT&CK provides no official detection implementation for this analytic, validate detection behavior in the local environment before treating it as operational coverage.

Mitigation priorities

  • Restrict domain trust administration to a small, documented set of privileged roles and require formal change approval.
  • Enable and retain auditing for Active Directory trust object changes and related privileged administrative activity.
  • Monitor and review use or assignment of high-risk privileges associated with delegation and trust administration.
  • Maintain an inventory of expected domain trusts and federation relationships so responders can quickly identify unauthorized changes.
  • Include domain trust validation and rollback procedures in identity incident response playbooks.
Analyst notes and limits

This object is a detection analytic, AN1259, for the enterprise ATT&CK domain and Windows platform. The supplied context has no related techniques, campaigns, software, groups, or mitigations, so the take is limited to the official description and external reference. The most important local validation question is whether the organization can tie a trust-attribute change back to the initiating account, host, command, and approved change record.

Official detection content was not provided, tactics were not specified, and no relationship context was supplied. This summary should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage. Local Active Directory architecture, audit policy, and change-management practices determine practical risk and coverage.

Official MITRE ATT&CK definition

Analytic 1259

Adversary modifies Active Directory domain trust settings via `netdom`, `nltest`, or PowerShell to add new domain trust or alter federation. Modifications occur in AD object attributes like trustDirection, trustType, trustAttributes, often paired with SeEnableDelegationPrivilege or certificate injection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cd8908351a22f8ff...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cd8908351a22…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1259
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use