Translated ['src/generic-methodologies-and-resources/basic-forensic-meth

2025-10-10 18:36:50 +00:00 · 2025-09-30 09:14:17 +00:00 · 2025-09-30 09:14:17 +00:00 · 2a7826c886
commit 2a7826c886
parent 1b0580c36b
3 changed files with 293 additions and 40 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -37,6 +37,7 @@
  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
  - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
+  - [Adaptixc2 Config Extraction And Ttps](generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md)
  - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
  - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
  - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
@ -130,6 +131,7 @@
    - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md)
    - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
  - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
+  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
  - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
  - [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
    - [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
@ -771,7 +773,7 @@
    - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
  - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
  - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
-  - [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md)
+  - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
  - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
  - [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
  - [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
@ -840,6 +842,7 @@
  - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
  - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
+- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
 - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
  - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
@ -937,6 +940,4 @@
 - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md)
 - [Post Exploitation](todo/post-exploitation.md)
 - [Investment Terms](todo/investment-terms.md)
- [Cookies Policy](todo/cookies-policy.md)
-
-  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
+- [Cookies Policy](todo/cookies-policy.md)
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
@ -0,0 +1,243 @@
+# AdaptixC2 Konfigurasie‑uittrekking en TTPs
+
+{{#include ../../banners/hacktricks-training.md}}
+
+AdaptixC2 is 'n modulaire, open‑source post‑exploitation/C2 framework met Windows x86/x64 beacons (EXE/DLL/service EXE/raw shellcode) en BOF support. Hierdie blad dokumenteer:
+- Hoe sy RC4‑gepakte konfigurasie ingebed is en hoe om dit uit beacons te onttrek
+- Netwerk-/profiel‑indikators vir HTTP/SMB/TCP‑luisteraars
+- Algemene loader- en persistentie‑TTPs wat in die veld waargeneem is, met skakels na relevante Windows tegniekbladsye
+
+## Beacon‑profiele en velde
+
+AdaptixC2 ondersteun drie primêre beacon‑tipes:
+- BEACON_HTTP: web C2 met konfigureerbare servers/poorte/SSL, method, URI, headers, user‑agent, en 'n persoonlike parameternaam
+- BEACON_SMB: named‑pipe peer‑to‑peer C2 (intranet)
+- BEACON_TCP: direkte sockets, opsioneel met 'n voorafgevoegde merker om die protokol‑begin te obfuskeer
+
+Tipiese profielvelde waargeneem in HTTP beacon‑konfigurasies (na ontsleuteling):
+- agent_type (u32)
+- use_ssl (bool)
+- servers_count (u32), servers (array of strings), ports (array of u32)
+- http_method, uri, parameter, user_agent, http_headers (length‑prefixed strings)
+- ans_pre_size (u32), ans_size (u32) – used to parse response sizes
+- kill_date (u32), working_time (u32)
+- sleep_delay (u32), jitter_delay (u32)
+- listener_type (u32)
+- download_chunk_size (u32)
+
+Example default HTTP profile (from a beacon build):
+```json
+{
+"agent_type": 3192652105,
+"use_ssl": true,
+"servers_count": 1,
+"servers": ["172.16.196.1"],
+"ports": [4443],
+"http_method": "POST",
+"uri": "/uri.php",
+"parameter": "X-Beacon-Id",
+"user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0",
+"http_headers": "\r\n",
+"ans_pre_size": 26,
+"ans_size": 47,
+"kill_date": 0,
+"working_time": 0,
+"sleep_delay": 2,
+"jitter_delay": 0,
+"listener_type": 0,
+"download_chunk_size": 102400
+}
+```
+Waargenome kwaadwillige HTTP-profiel (werklike aanval):
+```json
+{
+"agent_type": 3192652105,
+"use_ssl": true,
+"servers_count": 1,
+"servers": ["tech-system[.]online"],
+"ports": [443],
+"http_method": "POST",
+"uri": "/endpoint/api",
+"parameter": "X-App-Id",
+"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36",
+"http_headers": "\r\n",
+"ans_pre_size": 26,
+"ans_size": 47,
+"kill_date": 0,
+"working_time": 0,
+"sleep_delay": 4,
+"jitter_delay": 0,
+"listener_type": 0,
+"download_chunk_size": 102400
+}
+```
+## Versleutelde konfigurasie‑verpakking en laaipad
+
+Wanneer die operator op Create in die builder klik, inkorporeer AdaptixC2 die versleutelde profiel as 'n tail blob in die beacon. Die formaat is:
+- 4 bytes: configuration size (uint32, little‑endian)
+- N bytes: RC4‑encrypted configuration data
+- 16 bytes: RC4 key
+
+Die beacon loader kopieer die 16‑byte key vanaf die einde en RC4‑decrypts die N‑byte blok in plek:
+```c
+ULONG profileSize = packer->Unpack32();
+this->encrypt_key = (PBYTE) MemAllocLocal(16);
+memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16);
+DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16);
+```
+Praktiese implikasies:
+- Die hele struktuur woon dikwels binne die PE .rdata-seksie.
+- Onttrekking is deterministies: lees size, lees die ciphertext van daardie grootte, lees die 16‑byte key wat onmiddellik daarna geplaas is, en dan RC4‑decrypt.
+
+## Konfigurasie-onttrekking werkvloei (verdedigers)
+
+Skryf 'n onttrekker wat die beacon logika naboots:
+1) Lokaliseer die blob binne die PE (gewoonlik .rdata). 'n Pragmatiese benadering is om .rdata te deursoek vir 'n plausibele [size|ciphertext|16‑byte key] uitleg en probeer RC4.
+2) Lees die eerste 4 bytes → size (uint32 LE).
+3) Lees die volgende N=size bytes → ciphertext.
+4) Lees die finale 16 bytes → RC4 key.
+5) RC4‑decrypt die ciphertext. Parse dan die plain profile soos:
+- u32/boolean scalars soos hierbo vermeld
+- length‑prefixed strings (u32 length followed by bytes; trailing NUL can be present)
+- arrays: servers_count gevolg deur daardie aantal [string, u32 port] pare
+
+Minimal Python proof‑of‑concept (standalone, geen eksterne afhanklikhede) wat werk met 'n vooraf-onttrekte blob:
+```python
+import struct
+from typing import List, Tuple
+
+def rc4(key: bytes, data: bytes) -> bytes:
+S = list(range(256))
+j = 0
+for i in range(256):
+j = (j + S[i] + key[i % len(key)]) & 0xFF
+S[i], S[j] = S[j], S[i]
+i = j = 0
+out = bytearray()
+for b in data:
+i = (i + 1) & 0xFF
+j = (j + S[i]) & 0xFF
+S[i], S[j] = S[j], S[i]
+K = S[(S[i] + S[j]) & 0xFF]
+out.append(b ^ K)
+return bytes(out)
+
+class P:
+def __init__(self, buf: bytes):
+self.b = buf; self.o = 0
+def u32(self) -> int:
+v = struct.unpack_from('<I', self.b, self.o)[0]; self.o += 4; return v
+def u8(self) -> int:
+v = self.b[self.o]; self.o += 1; return v
+def s(self) -> str:
+L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L
+return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace')
+
+def parse_http_cfg(plain: bytes) -> dict:
+p = P(plain)
+cfg = {}
+cfg['agent_type']    = p.u32()
+cfg['use_ssl']       = bool(p.u8())
+n                    = p.u32()
+cfg['servers']       = []
+cfg['ports']         = []
+for _ in range(n):
+cfg['servers'].append(p.s())
+cfg['ports'].append(p.u32())
+cfg['http_method']   = p.s()
+cfg['uri']           = p.s()
+cfg['parameter']     = p.s()
+cfg['user_agent']    = p.s()
+cfg['http_headers']  = p.s()
+cfg['ans_pre_size']  = p.u32()
+cfg['ans_size']      = p.u32() + cfg['ans_pre_size']
+cfg['kill_date']     = p.u32()
+cfg['working_time']  = p.u32()
+cfg['sleep_delay']   = p.u32()
+cfg['jitter_delay']  = p.u32()
+cfg['listener_type'] = 0
+cfg['download_chunk_size'] = 0x19000
+return cfg
+
+# Usage (when you have [size|ciphertext|key] bytes):
+# blob = open('blob.bin','rb').read()
+# size = struct.unpack_from('<I', blob, 0)[0]
+# ct   = blob[4:4+size]
+# key  = blob[4+size:4+size+16]
+# pt   = rc4(key, ct)
+# cfg  = parse_http_cfg(pt)
+```
+Tips:
+- When automating, use a PE parser to read .rdata then apply a skuiwende venster: for each offset o, try size = u32(.rdata[o:o+4]), ct = .rdata[o+4:o+4+size], candidate key = next 16 bytes; RC4‑decrypt and check that string fields decode as UTF‑8 and lengths are sane.
+- Ontleed SMB/TCP‑profiele deur dieselfde lengte‑voorafgeplakte konvensies te volg.
+
+## Network fingerprinting and hunting
+
+HTTP
+- Common: POST to operator‑selected URIs (e.g., /uri.php, /endpoint/api)
+- Pasgemaakte header‑parameter gebruik vir beacon ID (e.g., X‑Beacon‑Id, X‑App‑Id)
+- User‑agents mimicking Firefox 20 or contemporary Chrome builds
+- Polling‑kadens sigbaar via sleep_delay/jitter_delay
+
+SMB/TCP
+- SMB named‑pipe listeners vir intranet C2 waar web egress beperk is
+- TCP beacons kan 'n paar bytes voor verkeer vooraan sit om protocolbegin te obfuskeer
+
+## Loader and persistence TTPs seen in incidents
+
+In‑memory PowerShell loaders
+- Laai Base64/XOR payloads af (Invoke‑RestMethod / WebClient)
+- Allocate unmanaged memory, copy shellcode, switch protection to 0x40 (PAGE_EXECUTE_READWRITE) via VirtualProtect
+- Execute via .NET dynamic invocation: Marshal.GetDelegateForFunctionPointer + delegate.Invoke()
+
+Check these pages for in‑memory execution and AMSI/ETW considerations:
+
+{{#ref}}
+../../windows-hardening/av-bypass.md
+{{#endref}}
+
+Persistence mechanisms observed
+- Startup folder shortcut (.lnk) to re‑launch a loader at logon
+- Registry Run keys (HKCU/HKLM ...\CurrentVersion\Run), often with benign‑sounding names like "Updater" to start loader.ps1
+- DLL search‑order hijack by dropping msimg32.dll under %APPDATA%\Microsoft\Windows\Templates for susceptible processes
+
+Technique deep‑dives and checks:
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+{{#endref}}
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
+{{#endref}}
+
+Hunting ideas
+- PowerShell spawning RW→RX transitions: VirtualProtect to PAGE_EXECUTE_READWRITE inside powershell.exe
+- Dynamic invocation patterns (GetDelegateForFunctionPointer)
+- Startup .lnk under user or common Startup folders
+- Suspicious Run keys (e.g., "Updater"), and loader names like update.ps1/loader.ps1
+- User‑writable DLL paths under %APPDATA%\Microsoft\Windows\Templates containing msimg32.dll
+
+## Notes on OpSec fields
+
+- KillDate: timestamp after which the agent self‑expires
+- WorkingTime: hours when the agent should be active to blend with business activity
+
+These fields can be used for clustering and to explain observed quiet periods.
+
+## YARA and static leads
+
+Unit 42 published basic YARA for beacons (C/C++ and Go) and loader API‑hashing constants. Consider complementing with rules that look for the [size|ciphertext|16‑byte‑key] layout near PE .rdata end and the default HTTP profile strings.
+
+## References
+
+- [AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks (Unit 42)](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)
+- [AdaptixC2 GitHub](https://github.com/Adaptix-Framework/AdaptixC2)
+- [Adaptix Framework Docs](https://adaptix-framework.gitbook.io/adaptix-framework)
+- [Marshal.GetDelegateForFunctionPointer – Microsoft Docs](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.getdelegateforfunctionpointer)
+- [VirtualProtect – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
+- [Memory protection constants – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants)
+- [Invoke-RestMethod – PowerShell](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod)
+- [MITRE ATT&CK T1547.001 – Registry Run Keys/Startup Folder](https://attack.mitre.org/techniques/T1547/001/)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@ -2,7 +2,7 @@

 {{#include ../../banners/hacktricks-training.md}}

-## Forensics CheatSheets
+## Forensiek CheatSheets

 [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)

@ -14,7 +14,7 @@
 - [Intezer](https://analyze.intezer.com)
 - [Any.Run](https://any.run/)

-## Offline Antivirus- en Opsporingsinstrumente
+## Offline Antivirus en Opsporingstools

 ### Yara

@ -24,8 +24,8 @@ sudo apt-get install -y yara
 ```
 #### Berei reëls voor

-Gebruik hierdie script om al die yara malware reëls van github af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
-Skep die _**rules**_ directory en voer dit uit. Dit sal 'n lêer genaamd _**malware_rules.yar**_ skep wat al die yara reëls vir malware bevat.
+Gebruik hierdie skrip om al die yara malware-reëls van github af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
+Skep die _**rules**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware_rules.yar**_ skep wat al die yara-reëls vir malware bevat.
 ```bash
 wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
 mkdir rules
@ -36,9 +36,9 @@ python malware_yara_rules.py
 yara -w malware_rules.yar image  #Scan 1 file
 yara -w malware_rules.yar folder #Scan the whole folder
 ```
-#### YaraGen: Kontroleer vir malware en skep rules
+#### YaraGen: Kontroleer vir malware en Skep reëls

-Jy kan die tool [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara rules uit 'n binary te genereer. Kyk na hierdie tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
+Jy kan die hulpmiddel [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara rules van 'n binary te genereer. Kyk na hierdie handleidings: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
 ```bash
 python3 yarGen.py --update
 python3.exe yarGen.py --excludegood -m  ../../mals/
@ -57,7 +57,7 @@ clamscan folderpath #Scan the whole folder
 ```
 ### [Capa](https://github.com/mandiant/capa)

-**Capa** detecteer potensieel kwaadwillige **capabilities** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dus dinge vind soos Att\&ck tactics, of verdagte capabilities soos:
+**Capa** identifiseer potensieel kwaadwillige **capabilities** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dus dinge vind soos Att\&ck tactics, of verdagte capabilities soos:

 - check for OutputDebugString error
 - run as a service
@ -67,16 +67,16 @@ Kry dit in die [**Github repo**](https://github.com/mandiant/capa).

 ### IOCs

-IOC beteken Indicator Of Compromise. 'n IOC is 'n stel **voorwaardes wat identifiseer** sekere potensieel ongewensde sagteware of bevestigde **malware**. Blue Teams gebruik hierdie soort definisie om te **soek na hierdie soort kwaadwillige lêers** in hul **sisteme** en **netwerke**.\
-Om hierdie definisies te deel is baie nuttig, want wanneer **malware** in 'n rekenaar geïdentifiseer word en 'n IOC vir daardie **malware** geskep word, kan ander Blue Teams dit gebruik om die **malware** vinniger te identifiseer.
+IOC beteken Aanwyser van Kompromittering. 'n IOC is 'n stel **voorwaardes wat identifiseer** sommige moontlik ongewenste sagteware of bevestigde **malware**. Blue Teams gebruik hierdie soort definisie om **na hierdie soort kwaadwillige lêers te soek** in hul **stelsels** en **netwerke**.\
+Om hierdie definisies te deel is baie nuttig, want as malware in 'n rekenaar geïdentifiseer word en 'n IOC vir daardie malware geskep word, kan ander Blue Teams dit gebruik om die malware vinniger te identifiseer.

-'n Instrument om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
-Jy kan gereedskap soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om **te soek na gedefinieerde IOCs in 'n toestel**.
+'n hulpmiddel om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
+Jy kan gereedskap soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om **vir gedefinieerde IOCs in 'n toestel te soek**.

 ### Loki

-[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir Simple Indicators of Compromise.\
-Deteksie is gebaseer op vier deteksiemetodes:
+[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir eenvoudige Aanwysers van Kompromittering.\
+Opsporing is gebaseer op vier opsporingsmetodes:
 ```
 1. File Name IOC
 Regex match on full file path/name
@ -92,41 +92,41 @@ Compares process connection endpoints with C2 IOCs (new since version v.10)
 ```
 ### Linux Malware Detect

-[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n malware-skandeerder vir Linux wat vrygestel is onder die GNU GPLv2-lisensie, en is ontwerp vir die bedreigings wat in gedeelde gehoste omgewings teëgekom word. Dit gebruik bedreigingsdata van netwerkrand indringingsopsporingsisteme om malware te onttrek wat aktief in aanvalle gebruik word, en genereer signatures vir opsporing. Daarbenewens word bedreigingsdata ook verkry uit gebruikersinskrywings via die LMD checkout-funksie en malware-communitybronne.
+[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n malware-skandeerder vir Linux wat vrygestel is onder die GNU GPLv2-lisensie, en ontwerp is rondom die bedreigings wat in gedeelde gehoste omgewings voorkom. Dit gebruik bedreigingsdata van netwerkrand intrusion detection systems om malware wat aktief in aanvalle gebruik word uit te trek en signatures te genereer vir opsporing. Daarbenewens word bedreigingsdata ook verkry uit gebruikersinskrywings met die LMD checkout-funksie en malware-gemeenskapsbronne.

 ### rkhunter

-Instrumente soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêerstelsel te ondersoek vir moontlike **rootkits** en malware.
+Gereedskap soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêerstelsel na moontlike **rootkits** en malware na te gaan.
 ```bash
 sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
 ```
 ### FLOSS

-[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n hulpmiddel wat probeer om geobfusceerde strings binne uitvoerbare lêers te vind deur verskillende tegnieke te gebruik.
+[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n hulpmiddel wat probeer om obfuscated strings binne uitvoerbare lêers te vind deur verskeie tegnieke te gebruik.

 ### PEpper

-[PEpper ](https://github.com/Th3Hurrican3/PEpper) kontroleer sommige basiese dinge in die uitvoerbare lêer (binary data, entropy, URLs and IPs, some yara rules).
+[PEpper ](https://github.com/Th3Hurrican3/PEpper) kontroleer 'n paar basiese dinge in die uitvoerbare lêer (binary data, entropy, URLs and IPs, some yara rules).

 ### PEstudio

-[PEstudio](https://www.winitor.com/download) is 'n hulpmiddel wat inligting oor Windows executables verskaf, soos imports, exports, headers, maar sal ook virus total kontroleer en potensiële Att\&ck techniques vind.
+[PEstudio](https://www.winitor.com/download) is 'n hulpmiddel wat inligting oor Windows-uitvoerbare lêers verskaf soos imports, exports, headers, maar sal ook virus total kontroleer en moontlike Att\&ck techniques vind.

 ### Detect It Easy(DiE)

-[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n hulpmiddel om te bepaal of 'n lêer **geënkripteer** is en ook **packers** te vind.
+[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n hulpmiddel om te bepaal of 'n lêer encrypted is en ook packers te vind.

 ### NeoPI

-[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is 'n Python-skrip wat 'n verskeidenheid van **statistiese metodes** gebruik om **geobfusceerde** en **geënkripteerde** inhoud binne teks-/script-lêers op te spoor. Die beoogde doel van NeoPI is om te help met die **opsporing van verborge web shell code**.
+[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) is 'n Python-skrip wat 'n verskeidenheid statistical methods gebruik om obfuscated en encrypted inhoud binne teks-/scriptlêers te detecteer. Die beoogde doel van NeoPI is om te help met die detection of hidden web shell code.

 ### **php-malware-finder**

-[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy bes om **geobfusceerde**/**skadelike code** op te spoor, sowel as lêers wat **PHP** funksies gebruik wat dikwels in **malwares**/webshells gebruik word.
+[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy uiterste bes om obfuscated/dodgy code op te spoor, sowel as lêers wat PHP-funksies gebruik wat dikwels in malwares/webshells gebruik word.

 ### Apple Binary Signatures

-Wanneer jy 'n **malware sample** nagaan, moet jy altyd die **handtekening** van die binêre lêer kontroleer, aangesien die **developer** wat dit gesigneer het dalk reeds met **malware** verwant is.
+Wanneer jy 'n malware sample nagaan, moet jy altyd die signature van die binary nagaan, aangesien die developer wat dit geteken het dalk reeds met malware in verband staan.
 ```bash
 #Get signer
 codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -141,15 +141,15 @@ spctl --assess --verbose /Applications/Safari.app

 ### File Stacking

-As jy weet dat 'n gids wat die **files** van 'n **web server** bevat **laas opgedateer is op 'n sekere datum**. **Kontroleer** die **datum** waarop al die **files** in die **web server** geskep en gewysig is, en as enige datum **verdagtig** is, ondersoek daardie **file**.
+Indien jy weet dat 'n gids wat die **files** van 'n **web server** bevat op 'n bepaalde **datum** laas bygewerk is, **kontroleer** die **datum** waarop al die **files** in die **web server** geskep en gewysig is; as enige datum **verdag** is, ondersoek daardie file.

 ### Baselines

-As die **files** van 'n gids **nie veronderstel was om gewysig te word nie**, kan jy die **hash** van die **original files** van die gids bereken en dit **vergelyk** met die **current** een. Enige item wat verander is sal **verdagtig** wees.
+As die **files** van 'n gids **nie moes verander het nie**, kan jy die **hash** van die **original files** van die gids bereken en dit met die **current** vergelyk. Alles wat gewysig is sal **verdag** wees.

 ### Statistical Analysis

-Wanneer die inligting in logs gestoor word, kan jy **statistieke kontroleer, soos hoeveel keer elke file van 'n web server geraadpleeg is**, aangesien 'n **web shell** moontlik baie keer geraadpleeg word.
+Wanneer die inligting in **logs** gestoor word, kan jy **statistieke** nagaan soos hoe dikwels elke **file** van 'n **web server** geraadpleeg is, aangesien 'n **web shell** moontlik een van die mees.

 ---

@ -167,11 +167,11 @@ See the Android native reversing page for setup details and log paths:

 ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

-Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
+Moderne malware families maak swaar gebruik van Control-Flow Graph (CFG) obfuscation: in plaas van 'n direkte jump/call bereken hulle die bestemming tydens run-time en voer `jmp rax` of `call rax` uit. 'n Klein *dispatcher* (gewoonlik nege instruksies) stel die finale teiken afhangende van die CPU `ZF`/`CF` vlagte, wat statiese CFG-herwinning heeltemal breek.

-The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
+Die tegniek – gedemonstreer deur die SLOW#TEMPEST loader – kan gekeer word met 'n drie-stap workflow wat slegs op IDAPython en die Unicorn CPU emulator staatmaak.

-### 1. Lokaliseer elke indirect jump / call
+### 1. Vind elke indirekte jump / call
 ```python
 import idautils, idc

@ -180,7 +180,7 @@ mnem = idc.print_insn_mnem(ea)
 if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
 print(f"[+] Dispatcher found @ {ea:X}")
 ```
-### 2. Ekstraheer die dispatcher byte-code
+### 2. Haal die dispatcher byte-code uit
 ```python
 import idc

@ -211,9 +211,9 @@ mu.reg_write(UC_X86_REG_RAX, 0)
 mu.emu_start(BASE, BASE+len(code))
 return mu.reg_read(UC_X86_REG_RAX)
 ```
-Voer `run(code,0,0)` en `run(code,1,1)` uit om die *false* en *true* branch targets te bekom.
+Voer `run(code,0,0)` en `run(code,1,1)` uit om die *false* en *true* branch targets te verkry.

-### 4. Patch back a direct jump / call
+### 4. Patch 'n direkte jump / call terug
 ```python
 import struct, ida_bytes

@ -222,28 +222,37 @@ op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
 disp = target - (ea + 5) & 0xFFFFFFFF
 ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
 ```
-Na patching, dwing IDA om die funksie weer te ontleed sodat die volledige CFG en Hex-Rays-uitset herstel word:
+Na patching, dwing IDA om die funksie weer te heranaliseer sodat die volledige CFG en Hex-Rays output herstel word:
 ```python
 import ida_auto, idaapi
 idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
 ```
-### 5. Merk indirekte API calls
+### 5. Merk indirekte API-aanroepe

-Sodra die werklike bestemming van elke `call rax` bekend is, kan jy aan IDA sê wat dit is sodat parameter-tipes & veranderlike name outomaties herstel word:
+Sodra die werklike bestemming van elke `call rax` bekend is, kan jy IDA vertel wat dit is sodat parametertipes & veranderlike name outomaties herstel word:
 ```python
 idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
 ```
 ### Praktiese voordele

-* Herstel die werklike CFG → dekompilasie gaan van *10* reëls na duisende.
-* Maak string-cross-reference & xrefs moontlik, wat gedragsheropbou triviaal maak.
+* Herstel die werklike CFG → decompilation gaan van *10* lyne na duisende.
+* Maak string-cross-reference & xrefs moontlik, wat gedragsherbou triviaal maak.
 * Skripte is herbruikbaar: plaas dit in enige loader wat deur dieselfde truuk beskerm word.

 ---

+## AdaptixC2: Konfigurasie-onttrekking en TTPs
+
+Sien die toegewyde bladsy:
+
+{{#ref}}
+adaptixc2-config-extraction-and-ttps.md
+{{#endref}}
+
 ## Verwysings

 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
+- [Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)

 {{#include ../../banners/hacktricks-training.md}}