1+ from impacket .dcerpc .v5 import rrp
2+ from impacket .examples .secretsdump import RemoteOperations
3+ from impacket .dcerpc .v5 .rrp import DCERPCSessionError
4+
15
26class NXCModule :
7+ # Reworked by @Defte_ 13/10/2024 to remove unecessary execute operation
38 name = "runasppl"
49 description = "Check if the registry value RunAsPPL is set or not"
510 supported_protocols = ["smb" ]
@@ -14,10 +19,35 @@ def options(self, context, module_options):
1419 """"""
1520
1621 def on_admin_login (self , context , connection ):
17- command = r"reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL"
18- context .log .debug (f"Executing command: { command } )
19- p = connection .execute (command , True )
20- if not p or "The system was unable to find the specified registry key or value" in p :
21- context .log .debug ("Unable to find RunAsPPL Registry Key" )
22- else :
23- context .log .highlight (p )
22+ try :
23+ remote_ops = RemoteOperations (connection .conn , False )
24+ remote_ops .enableRegistry ()
25+
26+ if remote_ops ._RemoteOperations__rrp :
27+ ans = rrp .hOpenLocalMachine (remote_ops ._RemoteOperations__rrp )
28+ reg_handle = ans ["phKey" ]
29+ ans = rrp .hBaseRegOpenKey (
30+ remote_ops ._RemoteOperations__rrp ,
31+ reg_handle ,
32+ "SYSTEM\\ CurrentControlSet\\ Control\\ Lsa"
33+ )
34+ key_handle = ans ["phkResult" ]
35+ _ = data = None
36+ try :
37+ _ , data = rrp .hBaseRegQueryValue (
38+ remote_ops ._RemoteOperations__rrp ,
39+ key_handle ,
40+ "RunAsPPL\x00 " ,
41+ )
42+ except rrp .DCERPCSessionError as e :
43+ context .log .debug (f"RunAsPPL error { e } { connection .host } )
44+
45+ if data is None or data not in 1 , 2 ]:
46+ context .log .highlight ("RunAsPPL disabled" )
47+ else :
48+ context .log .highlight ("RunAsPPL enabled" )
49+
50+ except DCERPCSessionError as e :
51+ context .log .debug (f"Error connecting to RemoteRegistry { e } { connection .host } )
52+ finally :
53+ remote_ops .finish ()
0 commit comments