Skip to content

S0250 Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.321

Item Value
ID S0250
Associated Names
Version 2.0
Created 17 October 2018
Last Modified 06 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.3
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Koadic has used HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Koadic has added persistence to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Registry key.1
enterprise T1115 Clipboard Data Koadic can retrieve the current content of the user clipboard.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Koadic has used PowerShell to establish persistence.1
enterprise T1059.003 Windows Command Shell Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.31
enterprise T1059.005 Visual Basic Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .3
enterprise T1005 Data from Local System Koadic can download files off the target system to send back to the server.31
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Koadic can use SSL and TLS for communications.3
enterprise T1083 File and Directory Discovery Koadic can obtain a list of directories.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.1
enterprise T1105 Ingress Tool Transfer Koadic can download additional files and tools.31
enterprise T1046 Network Service Discovery Koadic can scan for open TCP ports on the target network.3
enterprise T1135 Network Share Discovery Koadic can scan local network for open SMB.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Koadic can gather hashed passwords by dumping SAM/SECURITY hive.3
enterprise T1003.003 NTDS Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.3
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Koadic can perform process injection by using a reflective DLL.3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Koadic can enable remote desktop on the victim’s machine.3
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Koadic has used scheduled tasks to add persistence.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.31
enterprise T1218.010 Regsvr32 Koadic can use Regsvr32 to execute additional payloads.3
enterprise T1218.011 Rundll32 Koadic can use Rundll32 to execute additional payloads.3
enterprise T1082 System Information Discovery Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.1
enterprise T1016 System Network Configuration Discovery Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.31
enterprise T1033 System Owner/User Discovery Koadic can identify logged in users across the domain and views user sessions.31
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Koadic can run a command on another machine using PsExec.3
enterprise T1047 Windows Management Instrumentation Koadic can use WMI to execute commands.3

Groups That Use This Software

ID Name References
G0140 LazyScripter 1
G0007 APT28 2
G0121 Sidewinder 4
G0069 MuddyWater 56


Back to top