1. Home
  2. Software
  3. Nltest

Nltest

Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts.[1]

ID: S0359
Type: TOOL
Platforms: Windows
Version: 1.4
Created: 14 February 2019
Last Modified: 12 May 2026
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1482 Domain Trust Discovery

Nltest may be used to enumerate trusted domains by using commands such as nltest /domain_trusts.[1][2]
Enterprise T1018 Remote System Discovery

Nltest may be used to enumerate remote domain controllers using options such as /dclist and /dsgetdc.[1]
Enterprise T1016 System Network Configuration Discovery

Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.[1]

Groups That Use This Software

ID Name References
G1040 Play

[3]
G1054 MirrorFace

MirrorFace has used Nltest for discovery.[4]
G0102 Wizard Spider

[5][6][7][8][9][10][11]
G1032 INC Ransom

[12]
G1053 Storm-0501

Storm-0501 has used Windows native utility Nltest, e.g. nltest.exe, for discovery.[13]
G0061 FIN8

[14]
G1006 Earth Lusca

[15]
G1017 Volt Typhoon

[16][17]

References

  1. ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.
  2. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
  3. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  4. Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.
  5. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  6. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  7. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  8. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  9. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  1. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  2. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  3. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  4. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
  5. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  6. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  7. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  8. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.