Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants. Koadic performs most of its operations using Windows Script Host. [1] [2]

ID: S0250
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[1]

Enterprise T1115 Clipboard Data

Koadic can retrieve the current content of the user clipboard.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Koadic can open an interactive command-shell to perform command line functions on victim machines.[1] Koadic performs most of its operations using Windows Script Host (Jscript) and runs arbitrary shellcode .[1]

.005 Command and Scripting Interpreter: Visual Basic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[1]

Enterprise T1005 Data from Local System

Koadic can download files off the target system to send back to the server.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Koadic can use SSL and TLS for communications.[1]

Enterprise T1105 Ingress Tool Transfer

Koadic can download additional files.[1]

Enterprise T1046 Network Service Scanning

Koadic can scan for open TCP ports on the target network.[1]

Enterprise T1135 Network Share Discovery

Koadic can scan local network for open SMB.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Koadic can gather hashed passwords by dumping SAM/SECURITY hive.[1]

.003 OS Credential Dumping: NTDS

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Koadic can perform process injection by using a reflective DLL.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Koadic can enable remote desktop on the victim's machine.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Koadic can use Rundll32 to execute additional payloads.[1]

.005 Signed Binary Proxy Execution: Mshta

Koadic can use MSHTA to serve additional payloads.[1]

.010 Signed Binary Proxy Execution: Regsvr32

Koadic can use Regsvr32 to execute additional payloads.[1]

Enterprise T1016 System Network Configuration Discovery

Koadic can retrieve information about the Windows domain.[1]

Enterprise T1033 System Owner/User Discovery

Koadic can identify logged in users across the domain and views user sessions.[1]

Enterprise T1569 .002 System Services: Service Execution

Koadic can run a command on another machine using PsExec.[1]

Enterprise T1047 Windows Management Instrumentation

Koadic can use WMI to execute commands.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[2]

G0069 MuddyWater

[3][4]

G0121 Sidewinder

[5]

References