Koadic
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Koadic has 2 methods for elevating integrity. It can bypass UAC through `eventvwr.exe` and `sdclt.exe`.(Citation: Github Koadic) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Koadic has used HTTP for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Koadic has added persistence to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` Registry key.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Koadic has used PowerShell to establish persistence.(Citation: MalwareBytes LazyScripter Feb 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .(Citation: Github Koadic) |
||
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Koadic can use SSL and TLS for communications.(Citation: Github Koadic) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Koadic has used the command |
Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Koadic can gather hashed passwords by dumping SAM/SECURITY hive.(Citation: Github Koadic) |
.003 | OS Credential Dumping: NTDS |
Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.(Citation: Github Koadic) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Koadic can perform process injection by using a reflective DLL.(Citation: Github Koadic) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Koadic can enable remote desktop on the victim's machine.(Citation: Github Koadic) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Koadic has used scheduled tasks to add persistence.(Citation: MalwareBytes LazyScripter Feb 2021) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021) |
.010 | System Binary Proxy Execution: Regsvr32 |
Koadic can use Regsvr32 to execute additional payloads.(Citation: Github Koadic) |
||
.011 | System Binary Proxy Execution: Rundll32 |
Koadic can use Rundll32 to execute additional payloads.(Citation: Github Koadic) |
||
Enterprise | T1569 | .002 | System Services: Service Execution |
Koadic can run a command on another machine using PsExec.(Citation: Github Koadic) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0007 | APT28 |
(Citation: Palo Alto Sofacy 06-2018) |
G0140 | LazyScripter |
(Citation: MalwareBytes LazyScripter Feb 2021) |
G0121 | Sidewinder |
(Citation: ATT Sidewinder January 2021) |
G0069 | MuddyWater |
(Citation: Reaqta MuddyWater November 2017) (Citation: TrendMicro POWERSTATS V3 June 2019) |
References
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.