Merge pull request #1398 from HackTricks-wiki/update_AdaptixC2__A_New_Open-Source_Framework_Leveraged_i_20250910_123915

AdaptixC2 A New Open-Source Framework Leveraged in Real-Worl...
2025-10-10 18:36:50 +00:00 · 2025-09-30 10:56:42 +02:00 · 2025-09-30 10:56:42 +02:00 · a933ea6ce4
commit a933ea6ce4
parent be80a5c0f6 5350690b20
3 changed files with 265 additions and 4 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -37,6 +37,7 @@
  - [Mobile Phishing Malicious Apps](generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md)
  - [Phishing Files & Documents](generic-methodologies-and-resources/phishing-methodology/phishing-documents.md)
 - [Basic Forensic Methodology](generic-methodologies-and-resources/basic-forensic-methodology/README.md)
+  - [Adaptixc2 Config Extraction And Ttps](generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md)
  - [Baseline Monitoring](generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md)
  - [Anti-Forensic Techniques](generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md)
  - [Docker Forensics](generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md)
@ -130,6 +131,7 @@
    - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md)
    - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
  - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
+  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
  - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
  - [Interesting Groups - Linux Privesc](linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md)
    - [lxd/lxc Group - Privilege escalation](linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md)
@ -771,7 +773,7 @@
    - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
  - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
  - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
-  - [ROP and JOP](binary-exploitation/rop-return-oriented-programing/README.md)
+  - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
  - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
  - [Ret2csu](binary-exploitation/rop-return-oriented-programing/ret2csu.md)
  - [Ret2dlresolve](binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md)
@ -840,6 +842,7 @@
  - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
  - [WWW2Exec - \_\_malloc_hook & \_\_free_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
+- [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
 - [iOS Exploiting](binary-exploitation/ios-exploiting/README.md)
  - [ios CVE-2020-27950-mach_msg_trailer_t](binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.md)
@ -937,6 +940,4 @@
 - [Stealing Sensitive Information Disclosure from a Web](todo/stealing-sensitive-information-disclosure-from-a-web.md)
 - [Post Exploitation](todo/post-exploitation.md)
 - [Investment Terms](todo/investment-terms.md)
- [Cookies Policy](todo/cookies-policy.md)
-
-  - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
+- [Cookies Policy](todo/cookies-policy.md)
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/adaptixc2-config-extraction-and-ttps.md
@ -0,0 +1,251 @@
+# AdaptixC2 Configuration Extraction and TTPs
+
+{{#include ../../banners/hacktricks-training.md}}
+
+AdaptixC2 is a modular, open‑source post‑exploitation/C2 framework with Windows x86/x64 beacons (EXE/DLL/service EXE/raw shellcode) and BOF support. This page documents:
+- How its RC4‑packed configuration is embedded and how to extract it from beacons
+- Network/profile indicators for HTTP/SMB/TCP listeners
+- Common loader and persistence TTPs observed in the wild, with links to relevant Windows technique pages
+
+## Beacon profiles and fields
+
+AdaptixC2 supports three primary beacon types:
+- BEACON_HTTP: web C2 with configurable servers/ports/SSL, method, URI, headers, user‑agent, and a custom parameter name
+- BEACON_SMB: named‑pipe peer‑to‑peer C2 (intranet)
+- BEACON_TCP: direct sockets, optionally with a prepended marker to obfuscate protocol start
+
+Typical profile fields observed in HTTP beacon configs (after decryption):
+- agent_type (u32)
+- use_ssl (bool)
+- servers_count (u32), servers (array of strings), ports (array of u32)
+- http_method, uri, parameter, user_agent, http_headers (length‑prefixed strings)
+- ans_pre_size (u32), ans_size (u32) – used to parse response sizes
+- kill_date (u32), working_time (u32)
+- sleep_delay (u32), jitter_delay (u32)
+- listener_type (u32)
+- download_chunk_size (u32)
+
+Example default HTTP profile (from a beacon build):
+
+```json
+{
+  "agent_type": 3192652105,
+  "use_ssl": true,
+  "servers_count": 1,
+  "servers": ["172.16.196.1"],
+  "ports": [4443],
+  "http_method": "POST",
+  "uri": "/uri.php",
+  "parameter": "X-Beacon-Id",
+  "user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0",
+  "http_headers": "\r\n",
+  "ans_pre_size": 26,
+  "ans_size": 47,
+  "kill_date": 0,
+  "working_time": 0,
+  "sleep_delay": 2,
+  "jitter_delay": 0,
+  "listener_type": 0,
+  "download_chunk_size": 102400
+}
+```
+
+Observed malicious HTTP profile (real attack):
+
+```json
+{
+  "agent_type": 3192652105,
+  "use_ssl": true,
+  "servers_count": 1,
+  "servers": ["tech-system[.]online"],
+  "ports": [443],
+  "http_method": "POST",
+  "uri": "/endpoint/api",
+  "parameter": "X-App-Id",
+  "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36",
+  "http_headers": "\r\n",
+  "ans_pre_size": 26,
+  "ans_size": 47,
+  "kill_date": 0,
+  "working_time": 0,
+  "sleep_delay": 4,
+  "jitter_delay": 0,
+  "listener_type": 0,
+  "download_chunk_size": 102400
+}
+```
+
+## Encrypted configuration packing and load path
+
+When the operator clicks Create in the builder, AdaptixC2 embeds the encrypted profile as a tail blob in the beacon. The format is:
+- 4 bytes: configuration size (uint32, little‑endian)
+- N bytes: RC4‑encrypted configuration data
+- 16 bytes: RC4 key
+
+The beacon loader copies the 16‑byte key from the end and RC4‑decrypts the N‑byte block in place:
+
+```c
+ULONG profileSize = packer->Unpack32();
+this->encrypt_key = (PBYTE) MemAllocLocal(16);
+memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16);
+DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16);
+```
+
+Practical implications:
+- The entire structure often lives inside the PE .rdata section.
+- Extraction is deterministic: read size, read ciphertext of that size, read the 16‑byte key placed immediately after, then RC4‑decrypt.
+
+## Configuration extraction workflow (defenders)
+
+Write an extractor that mimics the beacon logic:
+1) Locate the blob inside the PE (commonly .rdata). A pragmatic approach is to scan .rdata for a plausible [size|ciphertext|16‑byte key] layout and attempt RC4.
+2) Read first 4 bytes → size (uint32 LE).
+3) Read next N=size bytes → ciphertext.
+4) Read final 16 bytes → RC4 key.
+5) RC4‑decrypt the ciphertext. Then parse the plain profile as:
+   - u32/boolean scalars as noted above
+   - length‑prefixed strings (u32 length followed by bytes; trailing NUL can be present)
+   - arrays: servers_count followed by that many [string, u32 port] pairs
+
+Minimal Python proof‑of‑concept (standalone, no external deps) that works with a pre‑extracted blob:
+
+```python
+import struct
+from typing import List, Tuple
+
+def rc4(key: bytes, data: bytes) -> bytes:
+    S = list(range(256))
+    j = 0
+    for i in range(256):
+        j = (j + S[i] + key[i % len(key)]) & 0xFF
+        S[i], S[j] = S[j], S[i]
+    i = j = 0
+    out = bytearray()
+    for b in data:
+        i = (i + 1) & 0xFF
+        j = (j + S[i]) & 0xFF
+        S[i], S[j] = S[j], S[i]
+        K = S[(S[i] + S[j]) & 0xFF]
+        out.append(b ^ K)
+    return bytes(out)
+
+class P:
+    def __init__(self, buf: bytes):
+        self.b = buf; self.o = 0
+    def u32(self) -> int:
+        v = struct.unpack_from('<I', self.b, self.o)[0]; self.o += 4; return v
+    def u8(self) -> int:
+        v = self.b[self.o]; self.o += 1; return v
+    def s(self) -> str:
+        L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L
+        return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace')
+
+def parse_http_cfg(plain: bytes) -> dict:
+    p = P(plain)
+    cfg = {}
+    cfg['agent_type']    = p.u32()
+    cfg['use_ssl']       = bool(p.u8())
+    n                    = p.u32()
+    cfg['servers']       = []
+    cfg['ports']         = []
+    for _ in range(n):
+        cfg['servers'].append(p.s())
+        cfg['ports'].append(p.u32())
+    cfg['http_method']   = p.s()
+    cfg['uri']           = p.s()
+    cfg['parameter']     = p.s()
+    cfg['user_agent']    = p.s()
+    cfg['http_headers']  = p.s()
+    cfg['ans_pre_size']  = p.u32()
+    cfg['ans_size']      = p.u32() + cfg['ans_pre_size']
+    cfg['kill_date']     = p.u32()
+    cfg['working_time']  = p.u32()
+    cfg['sleep_delay']   = p.u32()
+    cfg['jitter_delay']  = p.u32()
+    cfg['listener_type'] = 0
+    cfg['download_chunk_size'] = 0x19000
+    return cfg
+
+# Usage (when you have [size|ciphertext|key] bytes):
+# blob = open('blob.bin','rb').read()
+# size = struct.unpack_from('<I', blob, 0)[0]
+# ct   = blob[4:4+size]
+# key  = blob[4+size:4+size+16]
+# pt   = rc4(key, ct)
+# cfg  = parse_http_cfg(pt)
+```
+
+Tips:
+- When automating, use a PE parser to read .rdata then apply a sliding window: for each offset o, try size = u32(.rdata[o:o+4]), ct = .rdata[o+4:o+4+size], candidate key = next 16 bytes; RC4‑decrypt and check that string fields decode as UTF‑8 and lengths are sane.
+- Parse SMB/TCP profiles by following the same length‑prefixed conventions.
+
+## Network fingerprinting and hunting
+
+HTTP
+- Common: POST to operator‑selected URIs (e.g., /uri.php, /endpoint/api)
+- Custom header parameter used for beacon ID (e.g., X‑Beacon‑Id, X‑App‑Id)
+- User‑agents mimicking Firefox 20 or contemporary Chrome builds
+- Polling cadence visible via sleep_delay/jitter_delay
+
+SMB/TCP
+- SMB named‑pipe listeners for intranet C2 where web egress is constrained
+- TCP beacons may prepend a few bytes before traffic to obfuscate protocol start
+
+## Loader and persistence TTPs seen in incidents
+
+In‑memory PowerShell loaders
+- Download Base64/XOR payloads (Invoke‑RestMethod / WebClient)
+- Allocate unmanaged memory, copy shellcode, switch protection to 0x40 (PAGE_EXECUTE_READWRITE) via VirtualProtect
+- Execute via .NET dynamic invocation: Marshal.GetDelegateForFunctionPointer + delegate.Invoke()
+
+Check these pages for in‑memory execution and AMSI/ETW considerations:
+
+{{#ref}}
+../../windows-hardening/av-bypass.md
+{{#endref}}
+
+Persistence mechanisms observed
+- Startup folder shortcut (.lnk) to re‑launch a loader at logon
+- Registry Run keys (HKCU/HKLM ...\CurrentVersion\Run), often with benign‑sounding names like "Updater" to start loader.ps1
+- DLL search‑order hijack by dropping msimg32.dll under %APPDATA%\Microsoft\Windows\Templates for susceptible processes
+
+Technique deep‑dives and checks:
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+{{#endref}}
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
+{{#endref}}
+
+Hunting ideas
+- PowerShell spawning RW→RX transitions: VirtualProtect to PAGE_EXECUTE_READWRITE inside powershell.exe
+- Dynamic invocation patterns (GetDelegateForFunctionPointer)
+- Startup .lnk under user or common Startup folders
+- Suspicious Run keys (e.g., "Updater"), and loader names like update.ps1/loader.ps1
+- User‑writable DLL paths under %APPDATA%\Microsoft\Windows\Templates containing msimg32.dll
+
+## Notes on OpSec fields
+
+- KillDate: timestamp after which the agent self‑expires
+- WorkingTime: hours when the agent should be active to blend with business activity
+
+These fields can be used for clustering and to explain observed quiet periods.
+
+## YARA and static leads
+
+Unit 42 published basic YARA for beacons (C/C++ and Go) and loader API‑hashing constants. Consider complementing with rules that look for the [size|ciphertext|16‑byte‑key] layout near PE .rdata end and the default HTTP profile strings.
+
+## References
+
+- [AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks (Unit 42)](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)
+- [AdaptixC2 GitHub](https://github.com/Adaptix-Framework/AdaptixC2)
+- [Adaptix Framework Docs](https://adaptix-framework.gitbook.io/adaptix-framework)
+- [Marshal.GetDelegateForFunctionPointer – Microsoft Docs](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.getdelegateforfunctionpointer)
+- [VirtualProtect – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
+- [Memory protection constants – Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants)
+- [Invoke-RestMethod – PowerShell](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod)
+- [MITRE ATT&CK T1547.001 – Registry Run Keys/Startup Folder](https://attack.mitre.org/techniques/T1547/001/)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@ -271,9 +271,18 @@ idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+

 ---

+## AdaptixC2: Configuration Extraction and TTPs
+
+See the dedicated page:
+
+{{#ref}}
+adaptixc2-config-extraction-and-ttps.md
+{{#endref}}
+
 ## References

 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
 - SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
+- [Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)

 {{#include ../../banners/hacktricks-training.md}}