Domain Member

Created the Monday 30 January 2023. Updated 1 year, 9 months ago.

This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the "LoggonServer" and "ComputerName" environment variables. If the host is logged into a domain controller, the "LoggonServer" value will contain the name of the logged-in server, otherwise both variables contain the same hostname. This information is stored in the process memory, allowing for undetectable domain membership validation without API calls.



Code Snippets


Sleeping Alien

Subscribe to our Newsletter

Don't miss out on the latest and greatest updates from us! Subscribe to our newsletter and be the first to know about exciting content and future updates.