244 lines
9.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Uchukuaji wa Usanidi wa AdaptixC2 na TTPs
{{#include ../../banners/hacktricks-training.md}}
AdaptixC2 ni framework modular, opensource ya postexploitation/C2 yenye Windows x86/x64 beacons (EXE/DLL/service EXE/raw shellcode) na BOF support. Ukurasa huu unaandika kuhusu:
- Jinsi usanidi wake uliopakiwa kwa RC4 umeingizwa na jinsi ya kuuchota kutoka kwa beacons
- Viashiria vya mtandao/profaili kwa listeners za HTTP/SMB/TCP
- TTPs za kawaida za loader na persistence zilizobainika katika mazingira ya kweli, pamoja na viungo kwa kurasa za mbinu za Windows zinazohusiana
## Beacon profiles and fields
AdaptixC2 inaunga mkono aina tatu kuu za beacon:
- BEACON_HTTP: web C2 yenye servers/ports/SSL zinazoweza kusanidiwa, method, URI, headers, useragent, na custom parameter name
- BEACON_SMB: namedpipe peertopeer C2 (intranet)
- BEACON_TCP: direct sockets, hiari zikiwa na marker iliyowekwa mwanzoni ili kuficha mwanzo wa protocol
Mashamba ya profaili ya kawaida yaliyobainika katika config za beacon za HTTP (baada ya decryption):
- agent_type (u32)
- use_ssl (bool)
- servers_count (u32), servers (array of strings), ports (array of u32)
- http_method, uri, parameter, user_agent, http_headers (lengthprefixed strings)
- ans_pre_size (u32), ans_size (u32) used to parse response sizes
- kill_date (u32), working_time (u32)
- sleep_delay (u32), jitter_delay (u32)
- listener_type (u32)
- download_chunk_size (u32)
Example default HTTP profile (from a beacon build):
```json
{
"agent_type": 3192652105,
"use_ssl": true,
"servers_count": 1,
"servers": ["172.16.196.1"],
"ports": [4443],
"http_method": "POST",
"uri": "/uri.php",
"parameter": "X-Beacon-Id",
"user_agent": "Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0",
"http_headers": "\r\n",
"ans_pre_size": 26,
"ans_size": 47,
"kill_date": 0,
"working_time": 0,
"sleep_delay": 2,
"jitter_delay": 0,
"listener_type": 0,
"download_chunk_size": 102400
}
```
Profaili ya HTTP yenye nia mbaya iliyogunduliwa (shambulio la kweli):
```json
{
"agent_type": 3192652105,
"use_ssl": true,
"servers_count": 1,
"servers": ["tech-system[.]online"],
"ports": [443],
"http_method": "POST",
"uri": "/endpoint/api",
"parameter": "X-App-Id",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36",
"http_headers": "\r\n",
"ans_pre_size": 26,
"ans_size": 47,
"kill_date": 0,
"working_time": 0,
"sleep_delay": 4,
"jitter_delay": 0,
"listener_type": 0,
"download_chunk_size": 102400
}
```
## Ufungashaji wa usanidi uliosimbwa na njia ya kupakia
Wakati operator anabonyeza Create katika builder, AdaptixC2 inaweka profaili iliyosimbwa kama tail blob ndani ya beacon. Muundo ni:
- 4 bytes: configuration size (uint32, littleendian)
- N bytes: RC4encrypted configuration data
- 16 bytes: RC4 key
Beacon loader inakopa 16byte key kutoka mwisho na RC4decrypts Nbyte block mahali pake:
```c
ULONG profileSize = packer->Unpack32();
this->encrypt_key = (PBYTE) MemAllocLocal(16);
memcpy(this->encrypt_key, packer->data() + 4 + profileSize, 16);
DecryptRC4(packer->data()+4, profileSize, this->encrypt_key, 16);
```
Matokeo ya vitendo:
- Muundo mzima mara nyingi upo ndani ya sehemu ya PE .rdata.
- Uchimbaji ni isiyobadilika: soma size, soma ciphertext ya ukubwa huo, soma 16byte key iliyowekwa mara moja baada yake, kisha RC4decrypt.
## Mtiririko wa uchimbaji wa configuration (walinzi)
Andika extractor inayofanana na mantiki ya beacon:
1) Pata blob ndani ya PE (kawaida .rdata). Njia ya vitendo ni kuskena .rdata kutafuta muundo unaowezekana wa [size|ciphertext|16byte key] na kujaribu RC4.
2) Soma 4 bytes za kwanza → size (uint32 LE).
3) Soma bytes zifuatazo N=size → ciphertext.
4) Soma 16 bytes za mwisho → RC4 key.
5) RC4decrypt the ciphertext. Kisha changanua profaili wazi kama:
- u32/boolean scalars kama ilivyoelezwa hapo juu
- lengthprefixed strings (u32 length followed by bytes; trailing NUL can be present)
- arrays: servers_count ikifuatiwa na idadi hiyo ya jozi [string, u32 port]
Minimal Python proofofconcept (standalone, no external deps) that works with a preextracted blob:
```python
import struct
from typing import List, Tuple
def rc4(key: bytes, data: bytes) -> bytes:
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) & 0xFF
S[i], S[j] = S[j], S[i]
i = j = 0
out = bytearray()
for b in data:
i = (i + 1) & 0xFF
j = (j + S[i]) & 0xFF
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) & 0xFF]
out.append(b ^ K)
return bytes(out)
class P:
def __init__(self, buf: bytes):
self.b = buf; self.o = 0
def u32(self) -> int:
v = struct.unpack_from('<I', self.b, self.o)[0]; self.o += 4; return v
def u8(self) -> int:
v = self.b[self.o]; self.o += 1; return v
def s(self) -> str:
L = self.u32(); s = self.b[self.o:self.o+L]; self.o += L
return s[:-1].decode('utf-8','replace') if L and s[-1] == 0 else s.decode('utf-8','replace')
def parse_http_cfg(plain: bytes) -> dict:
p = P(plain)
cfg = {}
cfg['agent_type'] = p.u32()
cfg['use_ssl'] = bool(p.u8())
n = p.u32()
cfg['servers'] = []
cfg['ports'] = []
for _ in range(n):
cfg['servers'].append(p.s())
cfg['ports'].append(p.u32())
cfg['http_method'] = p.s()
cfg['uri'] = p.s()
cfg['parameter'] = p.s()
cfg['user_agent'] = p.s()
cfg['http_headers'] = p.s()
cfg['ans_pre_size'] = p.u32()
cfg['ans_size'] = p.u32() + cfg['ans_pre_size']
cfg['kill_date'] = p.u32()
cfg['working_time'] = p.u32()
cfg['sleep_delay'] = p.u32()
cfg['jitter_delay'] = p.u32()
cfg['listener_type'] = 0
cfg['download_chunk_size'] = 0x19000
return cfg
# Usage (when you have [size|ciphertext|key] bytes):
# blob = open('blob.bin','rb').read()
# size = struct.unpack_from('<I', blob, 0)[0]
# ct = blob[4:4+size]
# key = blob[4+size:4+size+16]
# pt = rc4(key, ct)
# cfg = parse_http_cfg(pt)
```
Vidokezo:
- Wakati unapo-automate, tumia PE parser kusoma .rdata kisha tumia sliding window: kwa kila offset o, jaribu size = u32(.rdata[o:o+4]), ct = .rdata[o+4:o+4+size], candidate key = next 16 bytes; RC4decrypt na angalia kwamba string fields zina-decode kama UTF8 na lengths ni za busara.
- Parsa profile za SMB/TCP kwa kufuata conventions za lengthprefixed sawa.
## Utambuzi wa sifa za mtandao na uwindaji
HTTP
- Mara nyingi: POST kwa URIs zilizochaguliwa na operator (mf., /uri.php, /endpoint/api)
- Kigezo cha header maalum kinachotumika kwa beacon ID (mf., XBeaconId, XAppId)
- Useragents zinajaribu kuiga Firefox 20 au matoleo ya Chrome ya sasa
- Mdundo wa polling unaoonekana kupitia sleep_delay/jitter_delay
SMB/TCP
- SMB namedpipe listeners kwa C2 ya intranet pale ambapo egress ya web imezuiwa
- TCP beacons yanaweza kuweka bytes chache kabla ya trafiki ili kuficha kuanza kwa protocol
## Loader and persistence TTPs zilizoshuhudiwa katika matukio
Loaders za PowerShell ambazo zinafanya kazi ndani ya kumbukumbu
- Pakua payloads za Base64/XOR (InvokeRestMethod / WebClient)
- Tenga unmanaged memory, nakili shellcode, badilisha ulinzi kwa 0x40 (PAGE_EXECUTE_READWRITE) kupitia VirtualProtect
- Endesha kupitia .NET dynamic invocation: Marshal.GetDelegateForFunctionPointer + delegate.Invoke()
Angalia kurasa hizi kuhusu utekelezaji ndani ya kumbukumbu na masuala ya AMSI/ETW:
{{#ref}}
../../windows-hardening/av-bypass.md
{{#endref}}
Mbinu za persistence zilizoshuhudiwa
- Shortcut ya Startup folder (.lnk) ili kuzindua tena loader wakati wa logon
- Registry Run keys (HKCU/HKLM ...\CurrentVersion\Run), mara nyingi zikiwa na majina yanayosikika kuwa yasiyotishia kama "Updater" kuanzisha loader.ps1
- DLL searchorder hijack kwa kuweka msimg32.dll chini ya %APPDATA%\Microsoft\Windows\Templates kwa processes zinazoweza kuathiriwa
Uchunguzi wa kina wa mbinu na ukaguzi:
{{#ref}}
../../windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
{{#endref}}
{{#ref}}
../../windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
{{#endref}}
Mapendekezo ya uwindaji
- PowerShell kuanzisha mabadiliko ya RW→RX: VirtualProtect kwa PAGE_EXECUTE_READWRITE ndani ya powershell.exe
- Mifumo ya dynamic invocation (GetDelegateForFunctionPointer)
- Startup .lnk chini ya folda za Startup za mtumiaji au za kawaida
- Run keys za kushangaza (mf., "Updater"), na majina ya loader kama update.ps1/loader.ps1
- Path za DLL zinazoweza kuandikwa na mtumiaji chini ya %APPDATA%\Microsoft\Windows\Templates zenye msimg32.dll
## Vidokezo kuhusu sehemu za OpSec
- KillDate: timestamp baada ya hapo agent inajimaliza
- WorkingTime: saa ambazo agent inapaswa kuwa hai ili kuendana na shughuli za kibiashara
Sehemu hizi zinaweza kutumika kwa clustering na kuelezea vipindi vya ukimya vilivyobainishwa.
## YARA na vidokezo vya static
Unit 42 ilichapisha basic YARA kwa beacons (C/C++ and Go) na loader APIhashing constants. Fikiria kuongeza rules zinatafuta muundo wa [size|ciphertext|16bytekey] karibu na mwisho wa PE .rdata na default HTTP profile strings.
## References
- [AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks (Unit 42)](https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/)
- [AdaptixC2 GitHub](https://github.com/Adaptix-Framework/AdaptixC2)
- [Adaptix Framework Docs](https://adaptix-framework.gitbook.io/adaptix-framework)
- [Marshal.GetDelegateForFunctionPointer Microsoft Docs](https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.getdelegateforfunctionpointer)
- [VirtualProtect Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect)
- [Memory protection constants Microsoft Docs](https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants)
- [Invoke-RestMethod PowerShell](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod)
- [MITRE ATT&CK T1547.001 Registry Run Keys/Startup Folder](https://attack.mitre.org/techniques/T1547/001/)
{{#include ../../banners/hacktricks-training.md}}