{"description": "Enterprise techniques used by Koadic, ATT&CK software S0250 (v2.0)", "name": "Koadic (S0250)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has 2 methods for elevating integrity. It can bypass UAC through `eventvwr.exe` and `sdclt.exe`.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has used HTTP for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has added persistence to the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` Registry key.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can retrieve the current content of the user clipboard.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has used PowerShell to establish persistence.(Citation: MalwareBytes LazyScripter Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can open an interactive command-shell to perform command line functions on victim machines. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can download files off the target system to send back to the server.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can use SSL and TLS for communications.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can obtain a list of directories.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can download additional files and tools.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can scan for open TCP ports on the target network.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can scan local network for open SMB.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can gather hashed passwords by dumping SAM/SECURITY hive.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can gather hashed passwords by gathering domain controller hashes from NTDS.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can perform process injection by using a reflective DLL.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can enable remote desktop on the victim's machine.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Koadic](https://attack.mitre.org/software/S0250) has used scheduled tasks to add persistence.(Citation: MalwareBytes LazyScripter Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can use mshta to serve additional payloads and to help schedule tasks for persistence.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can use Regsvr32 to execute additional payloads.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can use Rundll32 to execute additional payloads.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can obtain the OS version and build, computer name, and processor architecture from a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can retrieve the contents of the IP routing table as well as information about the Windows domain.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can identify logged in users across the domain and views user sessions.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can run a command on another machine using [PsExec](https://attack.mitre.org/software/S0029).(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Koadic](https://attack.mitre.org/software/S0250) can use WMI to execute commands.(Citation: Github Koadic)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Koadic", "color": "#66b1ff"}]}