DET0007: Detection of Domain Trust Discovery via API, Script, and CLI Enumeration
DET0007 is a MITRE ATT&CK detection strategy for identifying Domain Trust Discovery behavior through API, script, and command-line enumeration. In business...
Analyst context for executives and security teams
DET0007 is a MITRE ATT&CK detection strategy for identifying Domain Trust Discovery behavior through API, script, and command-line enumeration. In business terms, this matters because trust relationships in Windows multi-domain or forest environments can reveal paths an intruder may use to plan lateral movement. Even without detailed MITRE detection logic in the supplied object, the relationship to T1482 makes this a useful prompt for leaders to ask whether domain trust visibility is actually monitored and reviewable during an incident.
Executive priority
Prioritize this where Windows Active Directory environments include multiple domains, forests, or trust relationships. The decision value is not just detecting a single command or script, but proving that security teams can see attempts to map trust boundaries before an incident expands across identity and business units. This supports incident readiness, identity risk management, audit evidence for privileged access oversight, and resilience planning for environments where trust misconfiguration could increase blast radius.
Technical view
The supplied detection strategy has no official detection text, platforms, or tactics of its own, but it is explicitly related to T1482 Domain Trust Discovery, an enterprise Windows discovery technique. SOC and detection engineering teams should validate whether they collect and correlate evidence of domain trust enumeration through API activity, scripting, and command-line interfaces. Incident responders should treat confirmed trust discovery as contextual evidence that an actor may be mapping lateral movement opportunities, especially in multi-domain or forested Active Directory environments.
Likely telemetry
- Windows endpoint process creation and command-line logging
- PowerShell or other script execution logs where available
- Directory service and domain controller logs relevant to trust queries
- Authentication and directory access events that show cross-domain or trust-related lookups
- EDR telemetry capturing API, script, and CLI-based enumeration activity
Detection direction
- Validate visibility across API, script, and CLI enumeration paths rather than relying on a single tool or command pattern.
- Tune detections with local administrative baselines, because domain trust discovery can be performed by legitimate administrators and identity management processes.
- Correlate enumeration events with user, host, privilege level, domain role, and recent authentication activity to separate routine administration from suspicious discovery.
- Check whether domain controllers, administrative workstations, and identity management servers have consistent logging; these are common blind spots for trust-discovery visibility.
- Use the relationship to T1482 as context: confirmed activity should enrich incident timelines as discovery behavior that may precede lateral movement planning.
Mitigation priorities
- Maintain accurate documentation of domain and forest trust relationships so alerts can be interpreted quickly during incidents.
- Restrict and monitor privileged access used for Active Directory administration, especially in multi-domain or forest environments.
- Ensure endpoint, script, and directory service logging is enabled and retained long enough to support investigation.
- Review trust relationships for necessity and governance, prioritizing environments where unnecessary trusts could increase lateral movement paths.
- Include domain trust discovery scenarios in incident response and detection validation exercises.
Analyst notes and limits
MITRE provides the detection strategy name and relationship to T1482, but no official description or detection procedure in the supplied fields. This take therefore focuses on defensive validation and decision value derived from the related Domain Trust Discovery technique and the strategy title: API, script, and CLI enumeration.
The object itself has unspecified platforms and tactics and no official detection text. Windows and discovery context come from the related T1482 technique, not from the detection strategy fields directly. Local environment architecture, logging configuration, and administrative baselines are required to determine practical coverage and alert fidelity.
Detection of Domain Trust Discovery via API, Script, and CLI Enumeration
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1482 | Domain Trust Discovery | This object detects Domain Trust Discovery. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3aac4bd2f9b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.