nltest.exe

nltest.exe queries the Netlogon service and Active Directory for domain topology. /dclist:<domain> lists the domain controllers in a domain, /dsgetdc:<domain> locates a DC and the services it offers, and /domain_trusts enumerates the trust relationships between domains and forests. It can also test and reset the secure channel between a member and its domain. The genuine binary lives at C:\Windows\System32\nltest.exe.

Legitimately, nltest is run by administrators to diagnose domain join and replication problems. It reads domain configuration, and for secure-channel repair it can reset a machine's own trust password.

nltest is a core Active Directory reconnaissance tool (T1482). nltest /domain_trusts reveals how domains and forests trust one another, which tells an attacker where else stolen credentials might work and how to pivot toward higher-value domains. /dclist and /dsgetdc enumerate domain controllers (T1018), the machines that hold the directory and are the ultimate target for domain credential theft.

Run by an administrator during troubleshooting it is routine. Run from an ordinary user's workstation, under an odd parent, or amid other domain enumeration, it points to an operator charting the environment before moving through it.