Securityinbits · September 20, 2025 04:24 · Securityinbits · Sep 20, 2025
diff --git a/adaptixC2.yar b/adaptixC2.yar
 rule u42_hacktool_beacon_adaptixC2
 {
    meta:
        description = "Detects AdaptixC2 beacon via basic functions from Unit42"
        reference = "https://github.com/Adaptix-Framework/AdaptixC2"

    strings:
        $FileTimeToUnixTimestamp = {D1 65 F8 83 7D F4 1F 7E 17 8B 55 E4}
        $Proxyfire_RecvProxy = {B9 FC FF 0F 00 E8 6A 04 00 00}
        $timeCalc1 = {8D 82 A0 05 00 00 89 44 24 3C EB 07}
        $timeCalc2 = {FF D2 0F B7 44 24 28 66 3B}
        $b64_encoded_size = {83 C0 01 39 45 18 7E 22 8B 45 E4 C1 E0 08 89 C1}
        $manage = {C6 44 24 5F 00 48 8B 45 10 48 8B 00}

    condition:
        any of them
 }

 rule u42_hacktool_beaconGo_adaptixC2
 {
    meta:
        description = "Detects AdaptixC2 beacon in GO via basic functions from Unit42"
        reference = "https://github.com/Adaptix-Framework/AdaptixC2/tree/a7401fa3fdbc7ae6b632c40570292f844e40ff40/Extenders/agent_gopher"
    
    strings:
        $GetProcesses = {E8 96 4D E1 FF E8 96 4D E1 FF E8 96 4D E1 FF}
        $ConnRead = {0F 8E BD 00 00 00 4C 89 44 24 30 4C 89 54 24 40}
        $normalizedPath = {48 85 C9 74 0A 31 C0 31 DB 48 83 C4 38 5D C3 90 0F 1F 40 00}
        $Linux_GetOsVersion = {48 8D 05 51 D6 10 00 BB 0F 00 00 00}
        $Mac_GetOsVersion = {48 8D 05 AE 5A 0A 00 BB 30 00 00 00}
    
    condition:
        any of them
 }

 rule u42_hacktool_adaptixC2_loader
 {
    meta:
        description = "Detects AdaptixC2 shellcode loader via API Hashing from Unit42"
        reference = "https://github.com/Adaptix-Framework/AdaptixC2/blob/main/Extenders/agent_beacon/src_beacon/beacon/ApiDefines.h"

    strings:
        $hash_NtFlushInstructionCache = { 9E 65 A1 91 }
        $hash_VirtualAlloc = { 76 63 CE 63 }
        $hash_GetProcAddress = { DE 2A 4F 18 }
        $hash_LoadLibraryA = { FA D0 59 11}
        $Calc_Func_resolve_ApiFuncs = {06 00 00 0F B6 11 48 FF C1 85 D2 74 14 44 8D 42}

    condition:
    (
        $hash_NtFlushInstructionCache and
        $hash_VirtualAlloc and
        $hash_GetProcAddress and
        $hash_LoadLibraryA
    ) or
    (
        $Calc_Func_resolve_ApiFuncs
    )
 }
	rule u42_hacktool_beacon_adaptixC2
	{
	meta:
	description = "Detects AdaptixC2 beacon via basic functions from Unit42"
	reference = "https://github.com/Adaptix-Framework/AdaptixC2"

	strings:
	$FileTimeToUnixTimestamp = {D1 65 F8 83 7D F4 1F 7E 17 8B 55 E4}
	$Proxyfire_RecvProxy = {B9 FC FF 0F 00 E8 6A 04 00 00}
	$timeCalc1 = {8D 82 A0 05 00 00 89 44 24 3C EB 07}
	$timeCalc2 = {FF D2 0F B7 44 24 28 66 3B}
	$b64_encoded_size = {83 C0 01 39 45 18 7E 22 8B 45 E4 C1 E0 08 89 C1}
	$manage = {C6 44 24 5F 00 48 8B 45 10 48 8B 00}

	condition:
	any of them
	}

	rule u42_hacktool_beaconGo_adaptixC2
	{
	meta:
	description = "Detects AdaptixC2 beacon in GO via basic functions from Unit42"
	reference = "https://github.com/Adaptix-Framework/AdaptixC2/tree/a7401fa3fdbc7ae6b632c40570292f844e40ff40/Extenders/agent_gopher"

	strings:
	$GetProcesses = {E8 96 4D E1 FF E8 96 4D E1 FF E8 96 4D E1 FF}
	$ConnRead = {0F 8E BD 00 00 00 4C 89 44 24 30 4C 89 54 24 40}
	$normalizedPath = {48 85 C9 74 0A 31 C0 31 DB 48 83 C4 38 5D C3 90 0F 1F 40 00}
	$Linux_GetOsVersion = {48 8D 05 51 D6 10 00 BB 0F 00 00 00}
	$Mac_GetOsVersion = {48 8D 05 AE 5A 0A 00 BB 30 00 00 00}

	condition:
	any of them
	}

	rule u42_hacktool_adaptixC2_loader
	{
	meta:
	description = "Detects AdaptixC2 shellcode loader via API Hashing from Unit42"
	reference = "https://github.com/Adaptix-Framework/AdaptixC2/blob/main/Extenders/agent_beacon/src_beacon/beacon/ApiDefines.h"

	strings:
	$hash_NtFlushInstructionCache = { 9E 65 A1 91 }
	$hash_VirtualAlloc = { 76 63 CE 63 }
	$hash_GetProcAddress = { DE 2A 4F 18 }
	$hash_LoadLibraryA = { FA D0 59 11}
	$Calc_Func_resolve_ApiFuncs = {06 00 00 0F B6 11 48 FF C1 85 D2 74 14 44 8D 42}

	condition:
	(
	$hash_NtFlushInstructionCache and
	$hash_VirtualAlloc and
	$hash_GetProcAddress and
	$hash_LoadLibraryA
	) or
	(
	$Calc_Func_resolve_ApiFuncs
	)
	}
No results found