Domain Member

Created the Monday 30 January 2023. Updated 8 months ago.

This technique determines if a host is a member of an Active Directory Domain without API calls. It helps prevent malicious payload execution in enterprise sandboxes that are not members of an Active Directory domain. The validation is done by checking the "LoggonServer" and "ComputerName" environment variables. If the host is logged into a domain controller, the "LoggonServer" value will contain the name of the logged-in server, otherwise both variables contain the same hostname. This information is stored in the process memory, allowing for undetectable domain membership validation without API calls.

Technique Identifier

U1341

Technique Tags

technique Active Directory Domain enterprise sandboxes malicious payload LoggonServer ComputerName domain controller hostname process memory undetectable API calls

Code Snippets

; #########################################
; Compare the variable Computername & Logonserver
; if they are the same ( except the // ) you are 
; not logged to a domain controller

_isdomain:
   push ebp
   mov  ebp,esp
   push ebx

   jmp     runit

   len_computername dd 13
   ;str_computername db "COMPUTERNAME="
   ;str_computername db 78,66,64,93,88,89,72,95,67,76,64,72,48

   len_logonserver dd 14
   ;str_logonserver db "LOGONSERVER=\\"
   ;str_logonserver db 66,65,73,65,64,93,75,92,88,75,92,51,82,82

runit:
   call _getenvnoapi      ; Retrieve location of env and size
   push eax
   push  ecx

   ; Get computername
   invokel  _findstr, eax, ecx, str_computername + 1, dword [len_computername]
   mov   esi,eax
   pop   ecx
   pop   eax

   push  esi

   ; Get LogonSvr
   invokel  _findstr, eax, ecx, str_logonserver + 1, dword [len_logonserver]

   ; validate the loggon server..
   pop   esi
   mov   edi, eax
   mov   eax,0
   test  edi,edi        ; On linux (vine) .. no computername, avoid crash
   jz    _nodomain

   mov    eax,edi
   call  _strlenw
   mov   ecx,eax
   rep   cmpsb
   mov   eax,0
   CMP   ecx,0
   jz   _nodomain  ; if the computer is equal to the domain then .. no domain

   inc   eax  ; Eax = 1 ... domain logged
_nodomain:

      pop   ebx
      mov   esp,ebp
      pop   ebp
      ret


; #########################################
_getenvnoapi:
   ; Retrieve the memory offset of the environnement variables apiless.
   ; Out: Eax offset buffer
   ; Out: Ecx len buffer
   mov   eax, [fs:0x30]    ; Get PEB
   mov   eax, [eax + 0x10] ; Get ProcessParameters
   mov   esi, [eax + 0x48] ; Get Environment
   mov   edx,esi
.scan_end:
   lodsd          ; Scan for next 0x0 X 4
   cmp   eax,0
   jne   .scan_end
   sub   esi, edx
   mov   ecx,esi
   mov   eax,edx
   ret



; #########################################
_findstr:
; Find a string
;  Return 0 in eax if not found
;  In stack [ebp+0x08] : Offset Buffer
;  In stack [ebp+0x0c] : Size Buffer
;  In stack [ebp+0x10] : Offset Pattern
;  In stack [ebp+0x14] : Size Pattern
;  Out eax   : Offset of string END
;  Warning max 256 bytes... NO CHECK !

   push ebp
   mov  ebp,esp
   sub  esp, 512
   mov     esi, dword [ebp + 0x10]   ; Convert Ascii to Unicode
   lea     edi, [ebp- 512]           ; Env is in unicode in memory
   mov     dword [ebp + 0x10], edi
   mov     ecx, [ebp+0x14]
   mov   edx,ecx

strtouni:
    lodsb
    xor al, [xor_key]
    stosb
    xor eax,eax
    stosb
    loop    strtouni
    shl     dword [ebp+0x14], 1     ; Update size * 2

    mov     edx,dword [ebp+0x0c]    ; Len of Buffer to Seek
    sub     edx,dword [ebp+0x14]    ; Len of string to Seek
    std
iter:
    mov     esi, [ebp+0x08]             ; Buffer to Seek
    add     esi, edx                    ; Got to end - N
    mov     edi, [ebp+0x10]             ; Buffer to pattern
    mov     ecx, dword [ebp+0x14]       ; Size to compare

    dec ecx
    add     esi, ecx                    ; Got to buffer + Size
    add     edi, ecx                    ; Got to pattern + Size
    inc ecx

    repe    cmpsb                      ; compare string...
    jcxz    found                      ; If compare the same number we wins

    sub     edx,2
                                        ; N = N - 1 ( x2 Since unicode )
                                        ; could be optimised for unicode... but....
    jnz     iter                        ; Until N = 0

    mov     eax,0
    jmp     findstr_end


found:
   add esi,1                           ; Pad x2 unicode...
   add esi, dword [ebp+0x14]           ; Go to "after" the found string
   mov eax,esi

findstr_end:
   cld
   mov esp,ebp
   pop ebp
   retn 16 


; #########################################
; Get string len wide
; eax, string, return eax, len

_strlenw:        ; eax: a string ending in 0
   push ebx
   push eax      ; cache eax

  .strloopw:
    mov bx, word [eax]
    cmp bx, 0
    je .strretw      ; return len if bl == 0
    inc eax ; inc eax        ; else eax++

    jmp .strloopw

.strretw:
    pop ebx        ; ebx = cached eax
    sub eax, ebx    ; eax -= ebx
    pop ebx
    inc eax
    ret          ; eax = len


_getenvnoapi:
   ; Out: Eax offset buffer
   ; Out: Ecx len buffer
   mov   eax, [fs:0x30]    ; Get PEB
   mov   eax, [eax + 0x10] ; Get ProcessParameters
   mov   esi, [eax + 0x48] ; Get Environment
   mov   edx,esi
.scan_end:
   lodsd          ; Scan for next 0x0 X 4
   cmp   eax,0
   jne   .scan_end
   sub   esi, edx
   mov   ecx,esi
   mov   eax,edx
   ret

Domain Member

Technique Identifier

Technique Tags

Code Snippets

Subscribe to our Newsletter