Check-Add-Computer : New module for checking SeMachineAccountPrivilege

[Blatzy]

Description

New module to check SeMachineAccountPrivilege in the Default Domain Controllers Policy.
Querying LDAP for MachineAccountQuota in case of default configuration of the policy (Authenticated Users can add workstations to the domain).

Not a fancy exploitation, but I believe it will help on reconnaissance/enumeration.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

Module tested against two domains :

• Domain A : Default configuration but MAQ = 0
• Domain B : "Administrators" only can add workstations to the domain

Screenshots (if appropriate):

Default configuration :

Only Administrators can add workstations to the domain :

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[termanix]

Thank you for effort but there is already Maq module on LDAP which it checks ms-DS-MachineAccountQuota. Maybe it can be impelement which users or groups can add computer the domain.

[Blatzy]

Thank you for effort but there is already Maq module on LDAP which it checks ms-DS-MachineAccountQuota. Maybe it can be impelement which users or groups can add computer the domain.

MAQ module on LDAP only implement querying LDAP to read the attribute. Even if you have a MAQ > 0, if you're not allowed in the Default Domain Controllers Policy, you can't join new workstations to the domain. It's a well-known hardening trick for AD admins.

In my opinion, a module that parses the "Default Domain Controllers Policy" is interesting.

[NeffIsBack]

Hi and thanks for the PR!

I think it is cool to have a module that parses GPOs for the domain join attribute, but i agree with @termanix that also querying the MAQ value is a bit redundant. We already have a MAQ module for that and it is an entirely different protocol. Maybe add a statement at the end of the output pointing to that, but i think other than that the module should concentrate on the GPO parsing part.

[Blatzy]

I understand, I will edit the module to focus on parsing the GPO. Feel free to suggest anything that could be relevant about this topic ;)

EDIT 18:07 : Done editing, focusing only on parsing GPO and returning the information about SeMachineAccountPrivilege