S0359: Nltest

Nltest matters because it is a legitimate Windows administration utility that can reveal domain controllers, remote systems, network configuration context, and domain trust relationships. For defenders, that makes it a dual-use signal: normal IT activity in some environments, but potentially important reconnaissance when seen from unusual hosts, users, or during an incident involving Active Directory or ransomware preparation.

Executive priority

Prioritize Nltest monitoring where Active Directory trust relationships, domain controller exposure, and Windows identity infrastructure are critical to business continuity. The ATT&CK relationships show use by multiple financially motivated, ransomware-associated, espionage, and critical-infrastructure-focused groups, so leaders should ask whether SOC and IR teams can reconstruct who ran Nltest, from where, under which account, and what domain-trust or controller discovery occurred. This is especially relevant for audit evidence around identity monitoring, ransomware readiness, and segmentation assumptions across domains or forests.

Technical view

For SOC and IR teams, treat Nltest as Windows discovery activity tied in ATT&CK to System Network Configuration Discovery, Remote System Discovery, and Domain Trust Discovery. Because ATT&CK provides no official detection text for this software object, validation should focus on local command execution telemetry, process command-line capture, parent process context, account context, host role, and timing. Nltest activity may be expected on domain controllers or admin workstations, but should be reviewed when executed by non-admin users, from servers not used for administration, from newly accessed systems, or near other discovery and lateral-movement indicators.

Likely telemetry

Windows process creation events including executable name and command line
Parent/child process relationships for nltest.exe
User, logon session, host, and domain context for command execution
Endpoint detection and response telemetry from Windows hosts
Domain controller and authentication logs that can corroborate trust or domain controller discovery activity

Detection direction

Build or validate detections for nltest.exe execution with command-line arguments that enumerate domain controllers, domains, or trust relationships.
Tune against known administrative usage so detections distinguish routine domain administration from unusual execution by unexpected users, hosts, or parent processes.
Correlate Nltest execution with ATT&CK discovery behaviors T1016, T1018, and T1482 rather than treating it as malicious by itself.
Review coverage gaps where process command-line logging is absent, endpoint telemetry is not retained, or domain admin workstations are not monitored consistently.
Use relationship context as prioritization input: this tool is documented as used by several ATT&CK groups, including ransomware-associated and espionage groups, but local evidence is required before drawing attribution conclusions.

Mitigation priorities

Establish a baseline of legitimate Nltest use by directory services, help desk, and infrastructure teams.
Limit privileged domain administration to managed and monitored systems where feasible.
Ensure Windows endpoint logging and command-line visibility are enabled and retained long enough for incident response.
Review Active Directory trust relationships and document business justification, especially in multi-domain or multi-forest environments.
Include Nltest discovery in ransomware and identity-compromise response playbooks so analysts quickly assess exposed trust paths and domain controller discovery.

Analyst notes and limits

Nltest is not malware; it is a legitimate Windows command-line utility. Its security value comes from context: adversaries can use the same administrative capability to map identity infrastructure and plan movement across Windows domains. The strongest detections will be behavior- and context-based, not simple allow/block logic.

The supplied ATT&CK object does not include official detection guidance, aliases, labels, or tactics directly on the tool. Related technique and group relationships support discovery-focused defensive framing, but they do not prove malicious activity, active exploitation, attribution, or exposure in any specific environment.

Official MITRE ATT&CK definition

Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1482	Domain Trust Discovery	Nltest may be used to enumerate trusted domains by using commands such as `nltest /domain_trusts`.CitationNltest ManualCitationFortinet TrickBot
Enterprise	T1018	Remote System Discovery	Nltest may be used to enumerate remote domain controllers using options such as `/dclist` and `/dsgetdc`.CitationNltest Manual
Enterprise	T1016	System Network Configuration Discovery	Nltest may be used to enumerate the parent domain of a local machine using `/parentdomain`.CitationNltest Manual

Associated objects

Groups, software, and campaigns

G1040: Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]

G1054: MirrorFace

MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.[1][2][3][4][5][6]

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

G1032: INC Ransom

INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]

G1053: Storm-0501

Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]

G0061: FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]

G1006: Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.4
Created: Feb 14, 2019, 17:08 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 852da0e9dcb0a542...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.4	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`852da0e9dcb0…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Nltest Manual

ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
Open source URL
[2]
mitre-attack S0359
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams