S0250 Koadic
Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.321
| Item | Value |
|---|---|
| ID | S0250 |
| Associated Names | |
| Type | TOOL |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 06 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.3 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Koadic has used HTTP for C2 communications.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Koadic has added persistence to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry key.1 |
| enterprise | T1115 | Clipboard Data | Koadic can retrieve the current content of the user clipboard.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Koadic has used PowerShell to establish persistence.1 |
| enterprise | T1059.003 | Windows Command Shell | Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.31 |
| enterprise | T1059.005 | Visual Basic | Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .3 |
| enterprise | T1005 | Data from Local System | Koadic can download files off the target system to send back to the server.31 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Koadic can use SSL and TLS for communications.3 |
| enterprise | T1083 | File and Directory Discovery | Koadic can obtain a list of directories.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.1 |
| enterprise | T1105 | Ingress Tool Transfer | Koadic can download additional files and tools.31 |
| enterprise | T1046 | Network Service Discovery | Koadic can scan for open TCP ports on the target network.3 |
| enterprise | T1135 | Network Share Discovery | Koadic can scan local network for open SMB.3 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.002 | Security Account Manager | Koadic can gather hashed passwords by dumping SAM/SECURITY hive.3 |
| enterprise | T1003.003 | NTDS | Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Koadic can perform process injection by using a reflective DLL.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Koadic can enable remote desktop on the victim’s machine.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Koadic has used scheduled tasks to add persistence.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.31 |
| enterprise | T1218.010 | Regsvr32 | Koadic can use Regsvr32 to execute additional payloads.3 |
| enterprise | T1218.011 | Rundll32 | Koadic can use Rundll32 to execute additional payloads.3 |
| enterprise | T1082 | System Information Discovery | Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.31 |
| enterprise | T1033 | System Owner/User Discovery | Koadic can identify logged in users across the domain and views user sessions.31 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Koadic can run a command on another machine using PsExec.3 |
| enterprise | T1047 | Windows Management Instrumentation | Koadic can use WMI to execute commands.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0140 | LazyScripter | 1 |
| G0007 | APT28 | 2 |
| G0069 | MuddyWater | 45 |
| G0121 | Sidewinder | 6 |
References
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. ↩↩
-
Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. ↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩
-
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. ↩