Add USER option to maq module to enumerate per-user machine join count

[PvUL00]

Description

Adds a USER option that queries how many computers a given user has already joined to the domain, compared against the MachineAccountQuota. Detection covers both SAMR domain joins (ms-DS-CreatorSID) and direct LDAP creation such as addcomputer.py (nTSecurityDescriptor owner SID).

Two detection methods are used to cover all creation paths:

1. ms-DS-CreatorSID — set by the DC for computers joined via SAMR (standard Windows domain join)
2. nTSecurityDescriptor owner SID — set for computers created via direct LDAP (e.g. addcomputer.py)

The LDAP query uses LDAP_SERVER_SD_FLAGS_OID (1.2.840.113556.1.4.801) with OWNER_SECURITY_INFORMATION=1 to retrieve only the owner portion of the security descriptor.

Usage:

MAQ only (unchanged behaviour)
nxc ldap <DC> -u <user> -p <pass> -M maq

MAQ + machine join count for a specific user
nxc ldap <DC> -u <user> -p <pass> -M maq -o USER=<username>

This module was built with the assistance of Claude Code (claude-sonnet-4-6). All code was reviewed and tested against a live AD lab.

Type of change

Insert an "x" inside the brackets for relevant items (do not delete options)

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)
• This PR was created with the assistance of AI (list what type of assistance, tool(s)/model(s) in the description)

Setup guide for the review

• Python 3.11, Linux (Exegol)
  • Tested against Windows Server 2019 DC (GOAD mini lab)
  • No additional software, GPO changes or registry settings required
  • To test: create a machine account then query the count:
    addcomputer.py -computer-name 'SHUTDOWN$' -computer-pass 'Password1!' -dc-host DC -domain-netbios LAB lab.local/user:pass

nxc ldap -u user -p pass -M maq -o USER=user
Expected:
Machines joined by 'user': 1/10 (remaining quota: 9)
Computer: SHUTDOWN

Screenshots (if appropriate):

Before :

After :

Checklist:

Insert an "x" inside the brackets for completed and relevant items (do not delete options)

• I have ran Ruff against my changes (poetry: poetry run ruff check ., use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
• I have linked relevant sources that describes the added technique (blog posts, documentation, etc)
• I have performed a self-review of my own code (not an AI review)
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)

[NeffIsBack]

Thanks for the PR!

[NeffIsBack]

Did you get raw bytes for the sid? I think this should have been parsed by the ldap attribute parser

[PvUL00]

The isinstance check has been removed and replaced with a direct call to sid_to_str (imported from nxc.parsers.ldap_results) which is the same function the attribute parser uses for objectSid.

[NeffIsBack]

Actually, since this attribute should always be an SID we should add that to the attribute parser itself, so that it does not have to be called by external scripts (the module in this case).

[PvUL00]

Done, ms-DS-CreatorSID has been added to parse_result_attributes in nxc/parsers/ldap_results.py and the manual sid_to_str call removed from the module