kevoreilly
commented
3 years ago Hi recvfrom - firstly apologies for not spotting this message sooner. I have now starred this repo so I should get a heads up when an issue is created!
I do think it would be worth adding a hook for DsEnumerateDomainTrusts. The criteria are basically whether it brings value at no cost. The no cost basically means the hook is really stable so never crashes! This just requires very careful attention to detail and thorough testing.
Let me know if you have a hook that you wish to PR or whether you would just like to make a feature request - in which case I'll add it to my to-do list 😄
Do you think it'd be worth adding in a hook for
DsEnumerateDomainTrusts? Specifically that just shows whatServerNameandFlagsvalue is passed.Here's a run for an EXE that collects a bunch of information and then (I think, but haven't verified) POSTs it to a C2 server: https://capesandbox.com/analysis/81358/ . It would have been useful to see that it also calls DsEnumerateDomainTrustsA to collect domain info.
For future reference, what's the criteria for considering when something like this is worth adding in a hook for?
Thank you!
Reference: https://attack.mitre.org/techniques/T1482/