1. Home
  2. Software
  3. Koadic

Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants. Koadic performs most of its operations using Windows Script Host. [1] [2]

ID: S0250
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.[1]
Enterprise T1115 Clipboard Data

Koadic can retrieve the current content of the user clipboard.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Koadic can open an interactive command-shell to perform command line functions on victim machines.[1] Koadic performs most of its operations using Windows Script Host (Jscript) and runs arbitrary shellcode .[1]
.005 Command and Scripting Interpreter: Visual Basic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .[1]
Enterprise T1005 Data from Local System

Koadic can download files off the target system to send back to the server.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Koadic can use SSL and TLS for communications.[1]
Enterprise T1105 Ingress Tool Transfer

Koadic can download additional files.[1]
Enterprise T1046 Network Service Scanning

Koadic can scan for open TCP ports on the target network.[1]
Enterprise T1135 Network Share Discovery

Koadic can scan local network for open SMB.[1]
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Koadic can gather hashed passwords by dumping SAM/SECURITY hive.[1]
.003 OS Credential Dumping: NTDS

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Koadic can perform process injection by using a reflective DLL.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Koadic can enable remote desktop on the victim's machine.[1]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Koadic can use MSHTA to serve additional payloads.[1]
.010 Signed Binary Proxy Execution: Regsvr32

Koadic can use Regsvr32 to execute additional payloads.[1]
.011 Signed Binary Proxy Execution: Rundll32

Koadic can use Rundll32 to execute additional payloads.[1]
Enterprise T1016 System Network Configuration Discovery

Koadic can retrieve information about the Windows domain.[1]
Enterprise T1033 System Owner/User Discovery

Koadic can identify logged in users across the domain and views user sessions.[1]
Enterprise T1569 .002 System Services: Service Execution

Koadic can run a command on another machine using PsExec.[1]
Enterprise T1047 Windows Management Instrumentation

Koadic can use WMI to execute commands.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[2]
G0069 MuddyWater

[3][4]
G0121 Sidewinder

[5]

References

  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  2. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  3. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  1. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  2. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.