Update search filter for computer accounts

The userAccountControl search filter is a bit restrictive. I changed it from 4128 (32 - PASSWD_NOTREQD + 4096 - WORKSTATION_TRUST_ACCOUNT) to only 4096 since "After a computer account has joined the domain, it will just have the WORKSTATION_TRUST_ACCOUNT flag set (4096)" - https://www.trustedsec.com/blog/diving-into-pre-created-computer-accounts

Signed-off-by: ledrypotato <matt.taylor3@proton.me>

Author: ledrypotato

nxc/modules/pre2k.py

@@ -22,8 +22,8 @@ def options(self, context, module_options):
         """No options available"""
 
     def on_login(self, context, connection):
-        # Define the search filter for pre-created computer accounts
-        search_filter = "(&(objectClass=computer)(userAccountControl=4128))"
+        # Define the search filter for computer accounts
+        search_filter = "(&(objectClass=computer)(userAccountControl=4096))"
         attributes = ["sAMAccountName", "userAccountControl", "dNSHostName"]
 
         context.log.info(f"Using search filter: {search_filter}")
@@ -39,8 +39,8 @@ def on_login(self, context, connection):
 
             for computer in results:
                 context.log.debug(f"Processing computer: {computer['sAMAccountName']}, UAC: {computer['userAccountControl']}")
-                # Check if the account is a pre-created computer account
-                if int(computer["userAccountControl"]) == 4128:  # 4096 | 32
+                # Check if the account is a computer account (WORKSTATION_TRUST_ACCOUNT)
+                if int(computer["userAccountControl"]) == 4096:
                     computers.append(computer["sAMAccountName"])
                     context.log.debug(f"Added computer: {computer['sAMAccountName']}")