Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants. Koadic performs most of its operations using Windows Script Host. [1] [2]

ID: S0250
Type: TOOL
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlKoadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[1]
EnterpriseT1115Clipboard DataKoadic can retrieve the current content of the user clipboard.[1]
EnterpriseT1059Command-Line InterfaceKoadic can open an interactive command-shell to perform command line functions on victim machines.[1]
EnterpriseT1003Credential DumpingKoadic can gather hashed passwords by dumping SAM/SECURITY hive and gathers domain controller hashes from NTDS.[1]
EnterpriseT1005Data from Local SystemKoadic can download files off the target system to send back to the server.[1]
EnterpriseT1170MshtaKoadic can use MSHTA to serve additional payloads.[1]
EnterpriseT1046Network Service ScanningKoadic can scan for open TCP ports on the target network.[1]
EnterpriseT1135Network Share DiscoveryKoadic can scan local network for open SMB.[1]
EnterpriseT1055Process InjectionKoadic can perform process injection by using a reflective DLL.[1]
EnterpriseT1117Regsvr32Koadic can use Regsvr32 to execute additional payloads.[1]
EnterpriseT1076Remote Desktop ProtocolKoadic can enable remote desktop on the victim's machine.[1]
EnterpriseT1105Remote File CopyKoadic can download additional files.[1]
EnterpriseT1085Rundll32Koadic can use Rundll32 to execute additional payloads.[1]
EnterpriseT1064ScriptingKoadic performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode .[1]
EnterpriseT1035Service ExecutionKoadic can run a command on another machine using PsExec.[1]
EnterpriseT1032Standard Cryptographic ProtocolKoadic can use SSL and TLS for communications.[1]
EnterpriseT1016System Network Configuration DiscoveryKoadic can retrieve information about the Windows domain.[1]
EnterpriseT1033System Owner/User DiscoveryKoadic can identify logged in users across the domain and views user sessions.[1]
EnterpriseT1047Windows Management InstrumentationKoadic can use WMI to execute commands.[1]

Groups

Groups that use this software:

APT28

References