From dadad0e3f8b4c01c5769b4cc77432114c7a3405b Mon Sep 17 00:00:00 2001
From: Deft_ <aurelien.chalot@protonmail.com>
Date: Sat, 12 Oct 2024 20:25:53 +0200
Subject: [PATCH 1/3] Create recent_files.py

Signed-off-by: Deft_ <aurelien.chalot@protonmail.com>
---
 nxc/modules/recent_files.py | 39 +++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 nxc/modules/recent_files.py

diff --git a/nxc/modules/recent_files.py b/nxc/modules/recent_files.py
new file mode 100644
index 000000000..bee613af4
--- /dev/null
+++ b/nxc/modules/recent_files.py
@@ -0,0 +1,39 @@
+import pylnk3
+from io import BytesIO
+
+
+class NXCModule:
+    # Get a list of recently modified files via LNK's stored in AppData\Roaming\Microsoft\Windows\Recent
+    # Module by @Defte_
+
+    name = "recent_files"
+    description = "Extracts recently modified files"
+    supported_protocols = ["smb"]
+    opsec_safe = True
+    multiple_hosts = True
+    false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
+
+    def options(self, context, module_options):
+        """"""
+
+    def on_admin_login(self, context, connection):
+        lnks = []
+        for directory in connection.conn.listPath("C$",  "Users\\*"):
+            if directory.get_longname() not in self.false_positive and directory.is_directory() > 0:
+                context.log.highlight(f"C:\\{directory.get_longname()}")
+                recent_files_dir = f"Users\\{directory.get_longname()}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
+                for file in connection.conn.listPath("C$", f"{recent_files_dir}\\*"):
+                    file_path = f"{recent_files_dir}{file.get_longname()}"
+                    if file.get_longname() not in self.false_positive:
+                        file_path = f"{recent_files_dir}{file.get_longname()}"
+                        try:
+                            buf = BytesIO()
+                            connection.conn.getFile("C$", file_path, buf.write)
+                            buf.seek(0)
+                            lnk = pylnk3.parse(buf).path
+                            if lnk and lnk not in lnks:
+                                context.log.highlight(f"\t{lnk}")
+                                lnks.append(lnk)
+                        except Exception as e:
+                            # needed because of hidden directories in the Recents directory
+                            context.log.debug(f"Couldn't open {file_path} because of {e}")

From 26e08ca6a05469f1063034765970cb2146d32d65 Mon Sep 17 00:00:00 2001
From: Deft_ <aurelien.chalot@protonmail.com>
Date: Sun, 13 Oct 2024 17:27:37 +0200
Subject: [PATCH 2/3] Update runasppl.py

Signed-off-by: Deft_ <aurelien.chalot@protonmail.com>
---
 nxc/modules/runasppl.py | 44 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/nxc/modules/runasppl.py b/nxc/modules/runasppl.py
index 15f6bccd0..0520189cd 100644
--- a/nxc/modules/runasppl.py
+++ b/nxc/modules/runasppl.py
@@ -1,5 +1,10 @@
+from impacket.dcerpc.v5 import rrp
+from impacket.examples.secretsdump import RemoteOperations
+from impacket.dcerpc.v5.rrp import DCERPCSessionError
+
 
 class NXCModule:
+    # Reworked by @Defte_ 13/10/2024 to remove unecessary execute operation
     name = "runasppl"
     description = "Check if the registry value RunAsPPL is set or not"
     supported_protocols = ["smb"]
@@ -14,10 +19,35 @@ def options(self, context, module_options):
         """"""
 
     def on_admin_login(self, context, connection):
-        command = r"reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL"
-        context.log.debug(f"Executing command: {command}")
-        p = connection.execute(command, True)
-        if "The system was unable to find the specified registry key or value" in p:
-            context.log.debug("Unable to find RunAsPPL Registry Key")
-        else:
-            context.log.highlight(p)
+        try:
+            remote_ops = RemoteOperations(connection.conn, False)
+            remote_ops.enableRegistry()
+
+            if remote_ops._RemoteOperations__rrp:
+                ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
+                reg_handle = ans["phKey"]
+                ans = rrp.hBaseRegOpenKey(
+                    remote_ops._RemoteOperations__rrp,
+                    reg_handle,
+                    "SYSTEM\\CurrentControlSet\\Control\\Lsa"
+                )
+                key_handle = ans["phkResult"]
+                _ = data = None
+                try:
+                    _, data = rrp.hBaseRegQueryValue(
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        "RunAsPPL\x00",
+                    )
+                except rrp.DCERPCSessionError as e:
+                    context.log.debug(f"RunAsPPL error {e} on host {connection.host}")
+
+                if data is None or data not in [1, 2]:
+                    context.log.highlight("RunAsPPL disabled")
+                else:
+                    context.log.highlight("RunAsPPL enabled")
+                
+        except DCERPCSessionError as e:
+            context.log.debug(f"Error connecting to RemoteRegistry {e} on host {connection.host}")
+        finally:
+            remote_ops.finish()

From 3c197634b2d70ac33987ff5e013c0d665ce96988 Mon Sep 17 00:00:00 2001
From: Deft_ <aurelien.chalot@protonmail.com>
Date: Sun, 13 Oct 2024 21:52:19 +0200
Subject: [PATCH 3/3] Delete nxc/modules/recent_files.py (clownface)

Signed-off-by: Deft_ <aurelien.chalot@protonmail.com>
---
 nxc/modules/recent_files.py | 39 -------------------------------------
 1 file changed, 39 deletions(-)
 delete mode 100644 nxc/modules/recent_files.py

diff --git a/nxc/modules/recent_files.py b/nxc/modules/recent_files.py
deleted file mode 100644
index bee613af4..000000000
--- a/nxc/modules/recent_files.py
+++ /dev/null
@@ -1,39 +0,0 @@
-import pylnk3
-from io import BytesIO
-
-
-class NXCModule:
-    # Get a list of recently modified files via LNK's stored in AppData\Roaming\Microsoft\Windows\Recent
-    # Module by @Defte_
-
-    name = "recent_files"
-    description = "Extracts recently modified files"
-    supported_protocols = ["smb"]
-    opsec_safe = True
-    multiple_hosts = True
-    false_positive = [".", "..", "desktop.ini", "Public", "Default", "Default User", "All Users", ".NET v4.5", ".NET v4.5 Classic"]
-
-    def options(self, context, module_options):
-        """"""
-
-    def on_admin_login(self, context, connection):
-        lnks = []
-        for directory in connection.conn.listPath("C$",  "Users\\*"):
-            if directory.get_longname() not in self.false_positive and directory.is_directory() > 0:
-                context.log.highlight(f"C:\\{directory.get_longname()}")
-                recent_files_dir = f"Users\\{directory.get_longname()}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\"
-                for file in connection.conn.listPath("C$", f"{recent_files_dir}\\*"):
-                    file_path = f"{recent_files_dir}{file.get_longname()}"
-                    if file.get_longname() not in self.false_positive:
-                        file_path = f"{recent_files_dir}{file.get_longname()}"
-                        try:
-                            buf = BytesIO()
-                            connection.conn.getFile("C$", file_path, buf.write)
-                            buf.seek(0)
-                            lnk = pylnk3.parse(buf).path
-                            if lnk and lnk not in lnks:
-                                context.log.highlight(f"\t{lnk}")
-                                lnks.append(lnk)
-                        except Exception as e:
-                            # needed because of hidden directories in the Recents directory
-                            context.log.debug(f"Couldn't open {file_path} because of {e}")