public enum ExtendedNameFormat
{
/// <summary>
/// An unknown name type.
/// </summary>
NameUnknown = 0,
/// <summary>
/// The fully qualified distinguished name
/// (for example, CN=Jeff Smith,OU=Users,DC=Engineering,DC=Microsoft,DC=Com).
/// </summary>
NameFullyQualifiedDN = 1,
/// <summary>
/// A legacy account name (for example, Engineering\JSmith).
/// The domain-only version includes trailing backslashes (\\).
/// </summary>
NameSamCompatible = 2,
/// <summary>
/// A "friendly" display name (for example, Jeff Smith).
/// The display name is not necessarily the defining relative distinguished name (RDN).
/// </summary>
NameDisplay = 3,
/// <summary>
/// A GUID string that the IIDFromString function returns
/// (for example, {4fa050f0-f561-11cf-bdd9-00aa003a77b6}).
/// </summary>
NameUniqueId = 6,
/// <summary>
/// The complete canonical name (for example, engineering.microsoft.com/software/someone).
/// The domain-only version includes a trailing forward slash (/).
/// </summary>
NameCanonical = 7,
/// <summary>
/// The user principal name (for example, someone@example.com).
/// </summary>
NameUserPrincipal = 8,
/// <summary>
/// The same as NameCanonical except that the rightmost forward slash (/)
/// is replaced with a new line character (\n), even in a domain-only case
/// (for example, engineering.microsoft.com/software\nJSmith).
/// </summary>
NameCanonicalEx = 9,
/// <summary>
/// The generalized service principal name
/// (for example, www/www.microsoft.com@microsoft.com).
/// </summary>
NameServicePrincipal = 10,
/// <summary>
/// The DNS domain name followed by a backward-slash and the SAM user name.
/// </summary>
NameDnsDomain = 12
}
[DllImport("secur32.dll", CharSet=CharSet.Auto, SetLastError=true)]
public static extern byte GetUserNameEx (ExtendedNameFormat nameFormat,
StringBuilder userName, ref int userNameSize);
Declare Function GetUserNameEx Lib "secur32.dll" (nameFormat As Integer, _
userName As StringBuilder, ByRef userNameSize As Integer) As Byte
None.
This may be required because System.Environment.UserDomainName is broken. If the local machine has a user account that is the same name as a logged in domain user (machineName\bob & domainName\bob) UserDomainName returns the machine name, not the domain name.
Please add some!
public class Sample
{
enum EXTENDED_NAME_FORMAT
{
NameUnknown = 0,
NameFullyQualifiedDN = 1,
NameSamCompatible = 2,
NameDisplay = 3,
NameUniqueId = 6,
NameCanonical = 7,
NameUserPrincipal = 8,
NameCanonicalEx = 9,
NameServicePrincipal = 10,
NameDnsDomain = 12
}
[DllImport("secur32.dll", CharSet=CharSet.Auto)]
public static extern byte GetUserNameEx (int nameFormat, StringBuilder userName, ref int userNameSize);
public String GetUserDomain()
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
return null;
StringBuilder userName = new StringBuilder(1024);
int userNameSize = userName.Capacity;
if(0 != GetUserNameEx((int)EXTENDED_NAME_FORMAT.NameSamCompatible, userName, ref userNameSize))
{
string[] nameParts = userName.ToString().Split('\\');
if (2 != nameParts.Length) return null;
return nameParts[0];
}
return null;
}
}
public class Sample
Declare Function GetUserNameExA Lib "secur32.dll" (ByVal nameFormat As Integer, _
ByVal userName As System.Text.StringBuilder, ByRef userNameSize As Integer) As Byte
' GetUserNameExA for ANSI
' GetUserNameExW for UNICODE
Public Enum EXTENDED_NAME_FORMAT
NameUnknown = 0
NameFullyQualifiedDN = 1
NameSamCompatible = 2
NameDisplay = 3
NameUniqueId = 6
NameCanonical = 7
NameUserPrincipal = 8
NameCanonicalEx = 9
NameServicePrincipal = 10
NameDnsDomain = 12
End Enum
Public Function GetUserName() As String
Dim UserName As New System.Text.StringBuilder(1024)
Dim userNameSize As Integer = UserName.Capacity
If Environment.OSVersion.Platform <> PlatformID.Win32NT Then
Return ""
End If
If GetUserNameExA(EXTENDED_NAME_FORMAT.NameSamCompatible, UserName, userNameSize) <> 0 Then
Dim NameParts() As String = UserName.ToString().Split("\")
If NameParts.Length <> 2 Then
Return ""
End If
Return NameParts(1)
Else
Return ""
End If
End Function
End Class
System.Environment.UserDomainName
NETWORK ANALYSIS
SIGNATURES BY SEVERITY
2LOW
4MID
0HIGH
MID Severity Signatures
The Process Tried To Load Dynamically One Or More Functions.
Yara Detected Something
The Process Attempted To Bypass The DEP System By Marking A Part Of The Heap As Executable
The Process Tried To Collect Informations About The System Reading Some Known Registry Keys
ACTION GRAPH
ANALYZE