From 8a50d0bba507cb9475bda37296d16a42d329afb6 Mon Sep 17 00:00:00 2001 From: Translator Date: Tue, 30 Sep 2025 09:11:08 +0000 Subject: [PATCH] Translated ['src/generic-methodologies-and-resources/basic-forensic-meth --- src/SUMMARY.md | 9 +- .../adaptixc2-config-extraction-and-ttps.md | 243 ++++++++++++++++++ .../malware-analysis.md | 85 +++--- 3 files changed, 295 insertions(+), 42 deletions(-) create mode 100644 src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index edddf45ba..52e7cc8b6 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -37,6 +37,7 @@ - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md) - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md) - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md) + - [Adaptixc2 Config Extraction And Ttps](generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md) - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md) - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md) - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md) @@ -130,6 +131,7 @@ - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md) - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md) - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md) + - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md) - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md) - [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md) - [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md) @@ -771,7 +773,7 @@ - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md) - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md) - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md) - - [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md) + - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md) - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md) - [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md) - [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md) @@ -840,6 +842,7 @@ - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md) - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md) - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md) +- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md) - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md) - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md) @@ -937,6 +940,4 @@ - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md) - [Post Exploitation](todo/post-exploitation.md) - [Investment Terms](todo/investment-terms.md) -- [Cookies Policy](todo/cookies-policy.md) - - - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md) \ No newline at end of file +- [Cookies Policy](todo/cookies-policy.md) \ No newline at end of file diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md new file mode 100644 index 000000000..240b81661 --- /dev/null +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md @@ -0,0 +1,243 @@ +# Extração de Configuração do AdaptixC2 e TTPs + +{{#include ../../banners/hacktricks-training.md}} + +AdaptixC2 é um framework modular e open‑source de post‑exploitation/C2 com beacons Windows x86/x64 (EXE/DLL/service EXE/raw shellcode) e suporte a BOF. Esta página documenta: +- Como a sua configuração empacotada com RC4 é embutida e como extraí‑la dos beacons +- Indicadores de rede/perfil para listeners HTTP/SMB/TCP +- TTPs comuns de loader e persistência observados no mundo real, com links para páginas de técnicas relevantes do Windows + +## Perfis e campos de beacon + +AdaptixC2 suporta três tipos primários de beacon: +- BEACON_HTTP: web C2 com servidores/portas/SSL configuráveis, method, URI, headers, user‑agent, e um nome de parâmetro customizado +- BEACON_SMB: named‑pipe peer‑to‑peer C2 (intranet) +- BEACON_TCP: sockets diretos, opcionalmente com um marcador pré‑inserido para ofuscar o início do protocolo + +Campos típicos de perfil observados em configs de beacon HTTP (após descriptografia): +- agent_type (u32) +- use_ssl (bool) +- servers_count (u32), servers (array of strings), ports (array of u32) +- http_method, uri, parameter, user_agent, http_headers (length‑prefixed strings) +- ans_pre_size (u32), ans_size (u32) – usado para analisar os tamanhos das respostas +- kill_date (u32), working_time (u32) +- sleep_delay (u32), jitter_delay (u32) +- listener_type (u32) +- download_chunk_size (u32) + +Exemplo de perfil HTTP padrão (de um build de beacon): +```json +{ +"agent_type": 3192652105, +"use_ssl": true, +"servers_count": 1, +"servers": ["172.16.196.1"], +"ports": [4443], +"http_method": "POST", +"uri": "/uri.php", +"parameter": "X-Beacon-Id", +"user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0", +"http_headers": "\r\n", +"ans_pre_size": 26, +"ans_size": 47, +"kill_date": 0, +"working_time": 0, +"sleep_delay": 2, +"jitter_delay": 0, +"listener_type": 0, +"download_chunk_size": 102400 +} +``` +Perfil HTTP malicioso observado (ataque real): +```json +{ +"agent_type": 3192652105, +"use_ssl": true, +"servers_count": 1, +"servers": ["tech-system[.]online"], +"ports": [443], +"http_method": "POST", +"uri": "/endpoint/api", +"parameter": "X-App-Id", +"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36", +"http_headers": "\r\n", +"ans_pre_size": 26, +"ans_size": 47, +"kill_date": 0, +"working_time": 0, +"sleep_delay": 4, +"jitter_delay": 0, +"listener_type": 0, +"download_chunk_size": 102400 +} +``` +## Empacotamento da configuração criptografada e caminho de carregamento + +Quando o operador clica em Criar no builder, o AdaptixC2 incorpora o perfil criptografado como um blob final no beacon. O formato é: +- 4 bytes: tamanho da configuração (uint32, little‑endian) +- N bytes: dados de configuração criptografados com RC4 +- 16 bytes: chave RC4 + +O beacon loader copia a chave de 16‑byte do final e descriptografa com RC4 o bloco de N‑byte no próprio local: +```c +ULONG profileSize = packer->Unpack32(); +this->encrypt_key = (PBYTE) MemAllocLocal(16); +memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16); +DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16); +``` +Implicações práticas: +- Toda a estrutura frequentemente vive dentro da seção PE .rdata. +- A extração é determinística: leia o size, leia o ciphertext desse tamanho, leia a 16‑byte key colocada imediatamente depois, e então RC4‑decrypt. + +## Fluxo de extração de configuração (defensores) + +Implemente um extractor que imite a beacon logic: +1) Localize o blob dentro do PE (comumente .rdata). Uma abordagem pragmática é escanear .rdata em busca de um layout plausível [size|ciphertext|16‑byte key] e tentar RC4. +2) Leia os primeiros 4 bytes → size (uint32 LE). +3) Leia os próximos N=size bytes → ciphertext. +4) Leia os últimos 16 bytes → RC4 key. +5) RC4‑decrypt o ciphertext. Em seguida, parse o plain profile como: +- u32/boolean scalars conforme indicado acima +- length‑prefixed strings (u32 length followed by bytes; trailing NUL can be present) +- arrays: servers_count seguido por esse número de pares [string, u32 port] + +Prova de conceito mínima em Python (standalone, no external deps) que funciona com um blob pré-extraído: +```python +import struct +from typing import List, Tuple + +def rc4(key: bytes, data: bytes) -> bytes: +S = list(range(256)) +j = 0 +for i in range(256): +j = (j + S[i] + key[i % len(key)]) & 0xFF +S[i], S[j] = S[j], S[i] +i = j = 0 +out = bytearray() +for b in data: +i = (i + 1) & 0xFF +j = (j + S[i]) & 0xFF +S[i], S[j] = S[j], S[i] +K = S[(S[i] + S[j]) & 0xFF] +out.append(b ^ K) +return bytes(out) + +class P: +def __init__(self, buf: bytes): +self.b = buf; self.o = 0 +def u32(self) -> int: +v = struct.unpack_from(' int: +v = self.b[self.o]; self.o += 1; return v +def s(self) -> str: +L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L +return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace') + +def parse_http_cfg(plain: bytes) -> dict: +p = P(plain) +cfg = {} +cfg['agent_type'] = p.u32() +cfg['use_ssl'] = bool(p.u8()) +n = p.u32() +cfg['servers'] = [] +cfg['ports'] = [] +for _ in range(n): +cfg['servers'].append(p.s()) +cfg['ports'].append(p.u32()) +cfg['http_method'] = p.s() +cfg['uri'] = p.s() +cfg['parameter'] = p.s() +cfg['user_agent'] = p.s() +cfg['http_headers'] = p.s() +cfg['ans_pre_size'] = p.u32() +cfg['ans_size'] = p.u32() + cfg['ans_pre_size'] +cfg['kill_date'] = p.u32() +cfg['working_time'] = p.u32() +cfg['sleep_delay'] = p.u32() +cfg['jitter_delay'] = p.u32() +cfg['listener_type'] = 0 +cfg['download_chunk_size'] = 0x19000 +return cfg + +# Usage (when you have [size|ciphertext|key] bytes): +# blob = open('blob.bin','rb').read() +# size = struct.unpack_from('