Hide Navigation Hide TOC

Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)

Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. Koadic has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	1
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	1
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2