This is a simple PoC which allows you to return a list of PIDs currently using NTFS, by querying the \ntfs\ base device (the Windows filesystem base object). Using this method circumvents the need to use typical APIs, such as NtQuerySystemInformation or the higher level EnumProcesses. Using this non-typical reconnaissance method could allow operators to evade typical monitoring on endpoints 🎉. Thank you to Jonas Lyk for originally finding this trick.
- Get a handle to
\ntfs\withGENERIC_READ | SYNCHRONIZE - Query the information with the
FileProcessIdsUsingFileInformationclass using theNtQueryInformationFileAPI - Walk over a
PFILE_PROCESS_IDS_USING_FILE_INFORMATIONlist of process IDs
If you wish to contact me quicker, feel free to on Twitter or e-mail.