COM Command & Control: Koadic



Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.
It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).
Koadic also attempts to be compatible with both Python 2 and Python 3.


Stagers

Stagers hook target zombies and allow you to use implants.
ModuleDescription
stager/js/mshtaserves payloads in memory using MSHTA.exe HTML Applications
stager/js/regsvrserves payloads in memory using regsvr32.exe COM+ scriptlets
stager/js/rundll32_jsserves payloads in memory using rundll32.exe
stager/js/diskserves payloads using files on disk


Implants

Implants start jobs on zombies.
ModuleDescription
implant/elevate/bypassuac_eventvwrUses enigma0x3’s eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
implant/elevate/bypassuac_sdcltUses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10.
implant/fun/zombieMaxes volume and opens The Cranberries YouTube in a hidden window.
implant/fun/voicePlays a message over text-to-speech.
implant/gather/clipboardRetrieves the current content of the user clipboard.
implant/gather/hashdump_samRetrieves hashed passwords from the SAM hive.
implant/gather/hashdump_dcDomain controller hashes from the NTDS.dit file.
implant/inject/mimikatz_dynwrapxInjects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
implant/inject/mimikatz_dotnet2jsInjects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
implant/inject/shellcode_excelRuns arbitrary shellcode payload (if Excel is installed).
implant/manage/enable_rdesktopEnables remote desktop on the target.
implant/manage/exec_cmdRun an arbitrary command on the target, and optionally receive the output.
implant/pivot/stage_wmiHook a zombie on another machine using WMI.
implant/pivot/exec_psexecRun a command on another machine using psexec from sysinternals.
implant/scan/tcpUses HTTP to scan open TCP ports on the target zombie LAN.
implant/utils/download_fileDownloads a file from the target zombie.
implant/utils/upload_fileUploads a file from the listening server to the target zombies.