Translated ['src/generic-methodologies-and-resources/basic-forensic-meth

2025-10-10 18:36:50 +00:00 · 2025-09-30 09:11:05 +00:00 · 2025-09-30 09:11:05 +00:00 · 32cb229fe6
commit 32cb229fe6
parent a2b8389687
3 changed files with 306 additions and 53 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -37,6 +37,7 @@
  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
  - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
+  - [Adaptixc2 Config Extraction And Ttps](generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md)
  - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
  - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
  - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
@ -130,6 +131,7 @@
    - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md)
    - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
  - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
+  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
  - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
  - [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
    - [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
@ -771,7 +773,7 @@
    - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
  - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
  - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
-  - [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md)
+  - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
  - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
  - [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
  - [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
@ -840,6 +842,7 @@
  - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
  - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
+- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
 - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
  - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
@ -937,6 +940,4 @@
 - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md)
 - [Post Exploitation](todo/post-exploitation.md)
 - [Investment Terms](todo/investment-terms.md)
- [Cookies Policy](todo/cookies-policy.md)
-
-  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
+- [Cookies Policy](todo/cookies-policy.md)
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
@ -0,0 +1,243 @@
+# Uchukuaji wa Usanidi wa AdaptixC2 na TTPs
+
+{{#include ../../banners/hacktricks-training.md}}
+
+AdaptixC2 ni framework modular, open‑source ya post‑exploitation/C2 yenye Windows x86/x64 beacons (EXE/DLL/service EXE/raw shellcode) na BOF support. Ukurasa huu unaandika kuhusu:
+- Jinsi usanidi wake uliopakiwa kwa RC4 umeingizwa na jinsi ya kuuchota kutoka kwa beacons
+- Viashiria vya mtandao/profaili kwa listeners za HTTP/SMB/TCP
+- TTPs za kawaida za loader na persistence zilizobainika katika mazingira ya kweli, pamoja na viungo kwa kurasa za mbinu za Windows zinazohusiana
+
+## Beacon profiles and fields
+
+AdaptixC2 inaunga mkono aina tatu kuu za beacon:
+- BEACON_HTTP: web C2 yenye servers/ports/SSL zinazoweza kusanidiwa, method, URI, headers, user‑agent, na custom parameter name
+- BEACON_SMB: named‑pipe peer‑to‑peer C2 (intranet)
+- BEACON_TCP: direct sockets, hiari zikiwa na marker iliyowekwa mwanzoni ili kuficha mwanzo wa protocol
+
+Mashamba ya profaili ya kawaida yaliyobainika katika config za beacon za HTTP (baada ya decryption):
+- agent_type (u32)
+- use_ssl (bool)
+- servers_count (u32), servers (array of strings), ports (array of u32)
+- http_method, uri, parameter, user_agent, http_headers (length‑prefixed strings)
+- ans_pre_size (u32), ans_size (u32) – used to parse response sizes
+- kill_date (u32), working_time (u32)
+- sleep_delay (u32), jitter_delay (u32)
+- listener_type (u32)
+- download_chunk_size (u32)
+
+Example default HTTP profile (from a beacon build):
+```json
+{
+"agent_type": 3192652105,
+"use_ssl": true,
+"servers_count": 1,
+"servers": ["172.16.196.1"],
+"ports": [4443],
+"http_method": "POST",
+"uri": "/uri.php",
+"parameter": "X-Beacon-Id",
+"user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0",
+"http_headers": "\r\n",
+"ans_pre_size": 26,
+"ans_size": 47,
+"kill_date": 0,
+"working_time": 0,
+"sleep_delay": 2,
+"jitter_delay": 0,
+"listener_type": 0,
+"download_chunk_size": 102400
+}
+```
+Profaili ya HTTP yenye nia mbaya iliyogunduliwa (shambulio la kweli):
+```json
+{
+"agent_type": 3192652105,
+"use_ssl": true,
+"servers_count": 1,
+"servers": ["tech-system[.]online"],
+"ports": [443],
+"http_method": "POST",
+"uri": "/endpoint/api",
+"parameter": "X-App-Id",
+"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36",
+"http_headers": "\r\n",
+"ans_pre_size": 26,
+"ans_size": 47,
+"kill_date": 0,
+"working_time": 0,
+"sleep_delay": 4,
+"jitter_delay": 0,
+"listener_type": 0,
+"download_chunk_size": 102400
+}
+```
+## Ufungashaji wa usanidi uliosimbwa na njia ya kupakia
+
+Wakati operator anabonyeza Create katika builder, AdaptixC2 inaweka profaili iliyosimbwa kama tail blob ndani ya beacon. Muundo ni:
+- 4 bytes: configuration size (uint32, little‑endian)
+- N bytes: RC4‑encrypted configuration data
+- 16 bytes: RC4 key
+
+Beacon loader inakopa 16‑byte key kutoka mwisho na RC4‑decrypts N‑byte block mahali pake:
+```c
+ULONG profileSize = packer->Unpack32();
+this->encrypt_key = (PBYTE) MemAllocLocal(16);
+memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16);
+DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16);
+```
+Matokeo ya vitendo:
+- Muundo mzima mara nyingi upo ndani ya sehemu ya PE .rdata.
+- Uchimbaji ni isiyobadilika: soma size, soma ciphertext ya ukubwa huo, soma 16‑byte key iliyowekwa mara moja baada yake, kisha RC4‑decrypt.
+
+## Mtiririko wa uchimbaji wa configuration (walinzi)
+
+Andika extractor inayofanana na mantiki ya beacon:
+1) Pata blob ndani ya PE (kawaida .rdata). Njia ya vitendo ni kuskena .rdata kutafuta muundo unaowezekana wa [size|ciphertext|16‑byte key] na kujaribu RC4.
+2) Soma 4 bytes za kwanza → size (uint32 LE).
+3) Soma bytes zifuatazo N=size → ciphertext.
+4) Soma 16 bytes za mwisho → RC4 key.
+5) RC4‑decrypt the ciphertext. Kisha changanua profaili wazi kama:
+- u32/boolean scalars kama ilivyoelezwa hapo juu
+- length‑prefixed strings (u32 length followed by bytes; trailing NUL can be present)
+- arrays: servers_count ikifuatiwa na idadi hiyo ya jozi [string, u32 port]
+
+Minimal Python proof‑of‑concept (standalone, no external deps) that works with a pre‑extracted blob:
+```python
+import struct
+from typing import List, Tuple
+
+def rc4(key: bytes, data: bytes) -> bytes:
+S = list(range(256))
+j = 0
+for i in range(256):
+j = (j + S[i] + key[i % len(key)]) & 0xFF
+S[i], S[j] = S[j], S[i]
+i = j = 0
+out = bytearray()
+for b in data:
+i = (i + 1) & 0xFF
+j = (j + S[i]) & 0xFF
+S[i], S[j] = S[j], S[i]
+K = S[(S[i] + S[j]) & 0xFF]
+out.append(b ^ K)
+return bytes(out)
+
+class P:
+def __init__(self, buf: bytes):
+self.b = buf; self.o = 0
+def u32(self) -> int:
+v = struct.unpack_from('<I', self.b, self.o)[0]; self.o += 4; return v
+def u8(self) -> int:
+v = self.b[self.o]; self.o += 1; return v
+def s(self) -> str:
+L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L
+return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace')
+
+def parse_http_cfg(plain: bytes) -> dict:
+p = P(plain)
+cfg = {}
+cfg['agent_type']    = p.u32()
+cfg['use_ssl']       = bool(p.u8())
+n                    = p.u32()
+cfg['servers']       = []
+cfg['ports']         = []
+for _ in range(n):
+cfg['servers'].append(p.s())
+cfg['ports'].append(p.u32())
+cfg['http_method']   = p.s()
+cfg['uri']           = p.s()
+cfg['parameter']     = p.s()
+cfg['user_agent']    = p.s()
+cfg['http_headers']  = p.s()
+cfg['ans_pre_size']  = p.u32()
+cfg['ans_size']      = p.u32() + cfg['ans_pre_size']
+cfg['kill_date']     = p.u32()
+cfg['working_time']  = p.u32()
+cfg['sleep_delay']   = p.u32()
+cfg['jitter_delay']  = p.u32()
+cfg['listener_type'] = 0
+cfg['download_chunk_size'] = 0x19000
+return cfg
+
+# Usage (when you have [size|ciphertext|key] bytes):
+# blob = open('blob.bin','rb').read()
+# size = struct.unpack_from('<I', blob, 0)[0]
+# ct   = blob[4:4+size]
+# key  = blob[4+size:4+size+16]
+# pt   = rc4(key, ct)
+# cfg  = parse_http_cfg(pt)
+```
+Vidokezo:
+- Wakati unapo-automate, tumia PE parser kusoma .rdata kisha tumia sliding window: kwa kila offset o, jaribu size = u32(.rdata[o:o+4]), ct = .rdata[o+4:o+4+size], candidate key = next 16 bytes; RC4‑decrypt na angalia kwamba string fields zina-decode kama UTF‑8 na lengths ni za busara.
+- Parsa profile za SMB/TCP kwa kufuata conventions za length‑prefixed sawa.
+
+## Utambuzi wa sifa za mtandao na uwindaji
+
+HTTP
+- Mara nyingi: POST kwa URIs zilizochaguliwa na operator (mf., /uri.php, /endpoint/api)
+- Kigezo cha header maalum kinachotumika kwa beacon ID (mf., X‑Beacon‑Id, X‑App‑Id)
+- User‑agents zinajaribu kuiga Firefox 20 au matoleo ya Chrome ya sasa
+- Mdundo wa polling unaoonekana kupitia sleep_delay/jitter_delay
+
+SMB/TCP
+- SMB named‑pipe listeners kwa C2 ya intranet pale ambapo egress ya web imezuiwa
+- TCP beacons yanaweza kuweka bytes chache kabla ya trafiki ili kuficha kuanza kwa protocol
+
+## Loader and persistence TTPs zilizoshuhudiwa katika matukio
+
+Loaders za PowerShell ambazo zinafanya kazi ndani ya kumbukumbu
+- Pakua payloads za Base64/XOR (Invoke‑RestMethod / WebClient)
+- Tenga unmanaged memory, nakili shellcode, badilisha ulinzi kwa 0x40 (PAGE_EXECUTE_READWRITE) kupitia VirtualProtect
+- Endesha kupitia .NET dynamic invocation: Marshal.GetDelegateForFunctionPointer + delegate.Invoke()
+
+Angalia kurasa hizi kuhusu utekelezaji ndani ya kumbukumbu na masuala ya AMSI/ETW:
+
+{{#ref}}
+../../windows-hardening/av-bypass.md
+{{#endref}}
+
+Mbinu za persistence zilizoshuhudiwa
+- Shortcut ya Startup folder (.lnk) ili kuzindua tena loader wakati wa logon
+- Registry Run keys (HKCU/HKLM ...\CurrentVersion\Run), mara nyingi zikiwa na majina yanayosikika kuwa yasiyotishia kama "Updater" kuanzisha loader.ps1
+- DLL search‑order hijack kwa kuweka msimg32.dll chini ya %APPDATA%\Microsoft\Windows\Templates kwa processes zinazoweza kuathiriwa
+
+Uchunguzi wa kina wa mbinu na ukaguzi:
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+{{#endref}}
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
+{{#endref}}
+
+Mapendekezo ya uwindaji
+- PowerShell kuanzisha mabadiliko ya RW→RX: VirtualProtect kwa PAGE_EXECUTE_READWRITE ndani ya powershell.exe
+- Mifumo ya dynamic invocation (GetDelegateForFunctionPointer)
+- Startup .lnk chini ya folda za Startup za mtumiaji au za kawaida
+- Run keys za kushangaza (mf., "Updater"), na majina ya loader kama update.ps1/loader.ps1
+- Path za DLL zinazoweza kuandikwa na mtumiaji chini ya %APPDATA%\Microsoft\Windows\Templates zenye msimg32.dll
+
+## Vidokezo kuhusu sehemu za OpSec
+
+- KillDate: timestamp baada ya hapo agent inajimaliza
+- WorkingTime: saa ambazo agent inapaswa kuwa hai ili kuendana na shughuli za kibiashara
+
+Sehemu hizi zinaweza kutumika kwa clustering na kuelezea vipindi vya ukimya vilivyobainishwa.
+
+## YARA na vidokezo vya static
+
+Unit 42 ilichapisha basic YARA kwa beacons (C/C++ and Go) na loader API‑hashing constants. Fikiria kuongeza rules zinatafuta muundo wa [size|ciphertext|16‑byte‑key] karibu na mwisho wa PE .rdata na default HTTP profile strings.
+
+## References
+
+- [AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks (Unit 42)](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)
+- [AdaptixC2 GitHub](https://github.com/Adaptix-Framework/AdaptixC2)
+- [Adaptix Framework Docs](https://adaptix-framework.gitbook.io/adaptix-framework)
+- [Marshal.GetDelegateForFunctionPointer – Microsoft Docs](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.getdelegateforfunctionpointer)
+- [VirtualProtect – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
+- [Memory protection constants – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants)
+- [Invoke-RestMethod – PowerShell](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod)
+- [MITRE ATT&CK T1547.001 – Registry Run Keys/Startup Folder](https://attack.mitre.org/techniques/T1547/001/)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@ -1,8 +1,8 @@
-# Malware Analysis
+# Uchambuzi wa Malware

 {{#include ../../banners/hacktricks-training.md}}

-## Forensics CheatSheets
+## CheatSheets za Forensics

 [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)

@ -14,31 +14,31 @@
 - [Intezer](https://analyze.intezer.com)
 - [Any.Run](https://any.run/)

-## Zana za Antivirus na Utambuzi zisizo za Mtandaoni
+## Zana za Antivirus na Ugunduzi zisizo mtandaoni

 ### Yara

-#### Sakinisha
+#### Usakinishaji
 ```bash
 sudo apt-get install -y yara
 ```
-#### Andaa rules
+#### Tayarisha rules

-Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
-Tengeneza saraka _**rules**_ kisha ukimbize script hiyo. Hii itaunda faili liitwalo _**malware_rules.yar**_ ambalo lina yara rules zote za malware.
+Tumia script hii kupakua na kuunganisha yara malware rules zote kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
+Unda saraka _**rules**_ na uiendeshe. Hii itaunda faili iitwayo _**malware_rules.yar**_ ambayo ina yara rules zote za malware.
 ```bash
 wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
 mkdir rules
 python malware_yara_rules.py
 ```
-#### Skana
+#### Scan
 ```bash
 yara -w malware_rules.yar image  #Scan 1 file
 yara -w malware_rules.yar folder #Scan the whole folder
 ```
-#### YaraGen: Kagua malware na unda rules
+#### YaraGen: Angalia malware na unda rules

-Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
+Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafundisho haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
 ```bash
 python3 yarGen.py --update
 python3.exe yarGen.py --excludegood -m  ../../mals/
@ -57,26 +57,26 @@ clamscan folderpath #Scan the whole folder
 ```
 ### [Capa](https://github.com/mandiant/capa)

-**Capa** inatambua uwezo unaoweza kuwa hatari katika executables: PE, ELF, .NET. Hivyo itapata mambo kama Att\&ck tactics, au uwezo wenye shaka kama:
+**Capa** huigundua capabilities zinazoweza kuwa za uharibifu katika executables: PE, ELF, .NET. Hivyo itapata vitu kama Att\&ck tactics, au capabilities zenye shaka kama:

- angalia OutputDebugString error
+- check for OutputDebugString error
 - run as a service
 - create process

-Pata kwenye [**Github repo**](https://github.com/mandiant/capa).
+Pata kutoka [**Github repo**](https://github.com/mandiant/capa).

 ### IOCs

-IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **masharti yanayotambulisha** baadhi ya software zinazoweza kuwa haipendeki au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hii ya faili zenye madhara** katika **sistimu** na **mitandao** yao.\
-Kushirikisha ufafanuzi hivi ni muhimu sana; pale malware inapotambulika kwenye kompyuta na IOC kwa ajili ya malware hiyo ikitengenezwa, Blue Teams wengine wanaweza kuitumia kuitambua malware hiyo haraka zaidi.
+IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **conditions that identify** baadhi ya software zinazoweza kuwa zisizohitajika au **malware** iliyothibitishwa. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hizi za faili zenye uharibifu** katika **mifumo** na **mitandao** yao.\
+Kushiriki ufafanuzi huu ni muhimu sana kwani pale ambapo malware inapogundulika kwenye kompyuta na IOC ya malware hiyo inatengenezwa, Blue Teams nyingine zinaweza kuitumia kumtambua malware haraka zaidi.

-Chombo cha kuunda au kuhariri IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
-Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOC zilizofafanuliwa kwenye kifaa**.
+Chombo cha kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
+Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) ili **kutafuta IOCs zilizofafanuliwa kwenye kifaa**.

 ### Loki

-[**Loki**](https://github.com/Neo23x0/Loki) ni scanner kwa Simple Indicators of Compromise.\
-Ugunduzi unategemea mbinu nne za utambuzi:
+[**Loki**](https://github.com/Neo23x0/Loki) ni skana kwa Simple Indicators of Compromise.\
+Ugunduzi unategemea njia nne za kutambua:
 ```
 1. File Name IOC
 Regex match on full file path/name
@ -92,41 +92,41 @@ Compares process connection endpoints with C2 IOCs (new since version v.10)
 ```
 ### Linux Malware Detect

-[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyoundwa kwa kuzingatia tishio zinazokumba mazingira yaliyoshirikiwa ya mwenyeji. Inatumia data za tishio kutoka kwa mifumo ya utambuzi wa uvamizi kwenye kingo za mtandao ili kutoa malware zinazotumika katika mashambulizi na kuzalisha saini za kugundua. Zaidi ya hayo, data za tishio hupatikana pia kutoka kwa mawasilisho ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii ya malware.
+[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyoundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa network edge intrusion detection systems ili kuibua malware zinazotumika kwa vitendo katika mashambulizi na kutengeneza signatures za utambuzi. Zaidi ya hayo, data za vitisho pia hupatikana kutoka kwa mawasilisho ya watumiaji kupitia LMD checkout feature na rasilimali za jamii ya malware.

 ### rkhunter

-Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) zinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware.
+Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) zinaweza kutumika kukagua mfumo wa faili kwa ajili ya **rootkits** zinazowezekana na malware.
 ```bash
 sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
 ```
 ### FLOSS

-[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayojaribu kutafuta obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali.
+[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia techniques mbalimbali.

 ### PEpper

-[PEpper ](https://github.com/Th3Hurrican3/PEpper)huchunguza baadhi ya mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, baadhi ya yara rules).
+[PEpper ](https://github.com/Th3Hurrican3/PEpper) inakagua mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, baadhi ya yara rules).

 ### PEstudio

-[PEstudio](https://www.winitor.com/download) ni zana inayoruhusu kupata taarifa za Windows executables kama imports, exports, headers, na pia itachunguza virus total na kutambua potential Att\&ck techniques.
+[PEstudio](https://www.winitor.com/download) ni zana inayoruhusu kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kutambua potential Att\&ck techniques.

 ### Detect It Easy(DiE)

-[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime**encrypted** na pia kutafuta **packers**.
+[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ni **encrypted** na pia kupata **packers**.

 ### NeoPI

-[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is script ya Python inayotumia aina mbalimbali za **statistical methods** kutambua yaliyomo yaliyo **obfuscated** na **encrypted** ndani ya text/script files. Kusudi la NeoPI ni kusaidia katika **detection of hidden web shell code**.
+[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia aina mbalimbali za **statistical methods** kugundua **obfuscated** na **encrypted** content ndani ya text/script files. Madhumuni yaliyokusudiwa ya NeoPI ni kusaidia katika **detection of hidden web shell code**.

 ### **php-malware-finder**

-[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inajitahidi sana kutambua **obfuscated**/**dodgy code** pamoja na faili zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells.
+[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inafanya juhudi zake kubaini **obfuscated**/**dodgy code** pamoja na faili zinazotumia functions za **PHP** zinazotumika mara kwa mara na **malwares**/webshells.

 ### Apple Binary Signatures

-Unapoangalia baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini inaweza tayari kuwa **related** na **malware.**
+Wakati wa kukagua **malware sample** unapaswa kila mara **check the signature** ya binary, kwa sababu **developer** aliyesaini inaweza tayari kuwa **related** na **malware.**
 ```bash
 #Get signer
 codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
@ -137,27 +137,27 @@ codesign --verify --verbose /Applications/Safari.app
 #Check if the signature is valid
 spctl --assess --verbose /Applications/Safari.app
 ```
-## Mbinu za Ugundaji
+## Detection Techniques

 ### File Stacking

-Ikiwa unajua kuwa folda fulani inayoshikilia **faili** za **seva ya wavuti** ilisasishwa mwisho tarehe fulani, **kagua** tarehe ambazo **faili zote** kwenye **seva ya wavuti** ziliundwa na kubadilishwa; ikiwa tarehe yoyote ni **shaka**, angalia faili hiyo.
+Ikiwa unajua kwamba folda fulani inayojumuisha **mafaili** ya web server ilisababisha **sasisho la mwisho** tarehe fulani. **Angalia** **tarehe** ambazo **mafaili** yote kwenye **web server** yaliundwa na yalibadilishwa, na ikiwa tarehe yoyote ni **ya kushuku**, chunguza faili hiyo.

 ### Baselines

-Ikiwa **faili** za **folda** hazikutakiwa kubadilishwa, unaweza kuhesabu **hash** ya **faili za awali** za folda na **linganisha** nazo zile za **sasa**. Kile kilichobadilishwa kitakuwa **shaka**.
+Ikiwa **mafaili** ya folda **hayapaswi kuwa yamebadilishwa**, unaweza kuhesabu **hash** ya **mafaili ya awali** ya folda na **kuwa** **linganisha** na yale ya **sasa**. Kitu chochote kilichobadilishwa kitakuwa **cha kutiliwa shaka**.

-### Uchanganuzi wa Takwimu
+### Statistical Analysis

-Wakati taarifa zimehifadhiwa kwenye logs unaweza **kagua takwimu** kama vile ni mara ngapi kila **faili** ya **seva ya wavuti** ilifikiwa — web shell inaweza kuwa miongoni mwa zilizopatikana mara nyingi.
+Wakati taarifa zimehifadhiwa katika logs unaweza **kuangalia takwimu kama mara ngapi kila faili ya web server ilifikiwa**, kwani web shell inaweza kuwa miongoni mwa faili zinazopatikana mara nyingi.

 ---

 ### Android in-app native telemetry (no root)

-Kwenye Android, unaweza kuingilia native code ndani ya mchakato wa app lengwa kwa ku-preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema wa tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na injekta wito wa System.loadLibrary("sotap") mapema (kwa mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au tumia Logcat kama fallback.
+Kwenye Android, unaweza ku-instrument native code ndani ya mchakato wa app lengwa kwa ku-preload maktaba ndogo ya logger kabla ya maktaba nyingine za JNI kuanzishwa. Hii inatoa uonekano wa mapema wa tabia za native bila hooks za mfumo mzima au root. Njia maarufu ni SoTap: weka libsotap.so kwa ABI inayofaa ndani ya APK na sindika mwito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha kusanya logs kutoka njia za ndani/za nje au kutumia Logcat kama fallback.

-Tazama ukurasa wa Android native reversing kwa maelezo ya usanidi na njia za logi:
+See the Android native reversing page for setup details and log paths:

 {{#ref}}
 ../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@ -165,11 +165,11 @@ Tazama ukurasa wa Android native reversing kwa maelezo ya usanidi na njia za log

 ---

-## Kuondoa Obfuscation ya Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
+## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

-Familia za kisasa za malware zinatumia kwa kupindukia obfuscation ya Control-Flow Graph (CFG): badala ya jump/call moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. Dispatcher ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa static wa CFG.
+Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.

-Mbinu — iliyoonyeshwa na loader ya SLOW#TEMPEST — inaweza kushindwa kwa mtiririko wa hatua tatu unaoegemea tu IDAPython na emulator ya CPU ya Unicorn.
+The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.

 ### 1. Locate every indirect jump / call
 ```python
@ -180,7 +180,7 @@ mnem = idc.print_insn_mnem(ea)
 if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
 print(f"[+] Dispatcher found @ {ea:X}")
 ```
-### 2. Toa dispatcher byte-code
+### 2. Toa byte-code ya dispatcher
 ```python
 import idc

@ -195,7 +195,7 @@ size  = jmp_ea + idc.get_item_size(jmp_ea) - start
 code  = idc.get_bytes(start, size)
 open(f"{start:X}.bin", "wb").write(code)
 ```
-### 3. Iiga mara mbili kwa kutumia Unicorn
+### 3. Iga mara mbili kwa kutumia Unicorn
 ```python
 from unicorn import *
 from unicorn.x86_const import *
@ -211,9 +211,9 @@ mu.reg_write(UC_X86_REG_RAX, 0)
 mu.emu_start(BASE, BASE+len(code))
 return mu.reg_read(UC_X86_REG_RAX)
 ```
-Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya matawi *false* na *true*.
+Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya branch za *false* na *true*.

-### 4. Rekebisha tena jump / call ya moja kwa moja
+### 4. Rekebisha direct jump / call
 ```python
 import struct, ida_bytes

@ -222,28 +222,37 @@ op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
 disp = target - (ea + 5) & 0xFFFFFFFF
 ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
 ```
-Baada ya patching, lazimisha IDA ichambue tena function ili CFG kamili na matokeo ya Hex-Rays virudishwe:
+Baada ya patching, lazimisha IDA ifanye re-analyse ya function ili full CFG na Hex-Rays output virudishwe:
 ```python
 import ida_auto, idaapi
 idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
 ```
-### 5. Weka lebo kwa miito isiyo ya moja kwa moja ya API
+### 5. Weka lebo kwa API calls zisizo za moja kwa moja

-Mara tu mahali halisi pa kila `call rax` itakapojulikana, unaweza kumwambia IDA ni nini ili aina za vigezo na majina ya variable vipatikane kiotomatiki:
+Mara tu lengo halisi la kila `call rax` linapojulikana, unaweza kumwambia IDA ni nini ili aina za parameta na majina ya variables zirudishwe kiotomatiki:
 ```python
 idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
 ```
 ### Manufaa ya vitendo

-* Inarejesha CFG halisi → decompilation inaenda kutoka *10* mistari hadi maelfu.
-* Inawawezesha string-cross-reference & xrefs, na kuifanya behaviour reconstruction kuwa rahisi.
-* Scripts zinaweza kutumika tena: ziweke ndani ya loader yoyote iliyolindwa na trick ile ile.
+* Inarejesha CFG halisi → decompilation inabadilika kutoka *10* mistari hadi maelfu.
+* Inawawezesha string-cross-reference & xrefs, na kufanya urejeshaji wa tabia kuwa rahisi.
+* Scripts zinaweza kutumika tena: ziweke katika loader yoyote iliyo na ulinzi sawa kwa hila ile ile.

 ---

+## AdaptixC2: Uchimbaji wa Usanidi na TTPs
+
+Angalia ukurasa maalum:
+
+{{#ref}}
+adaptixc2-config-extraction-and-ttps.md
+{{#endref}}
+
 ## Marejeo

 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
- SoTap: Rekoda nyepesi wa tabia ndani ya app kwa JNI (.so) – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
+- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
+- [Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)

 {{#include ../../banners/hacktricks-training.md}}