HackTool - Koadic Execution
Detects command line parameters used by Koadic hack tool
Sigma rule (View on GitHub)
1title: HackTool - Koadic Execution
2id: 5cddf373-ef00-4112-ad72-960ac29bac34
3status: test
4description: Detects command line parameters used by Koadic hack tool
5references:
6 - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
7 - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
8 - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
9author: wagga, Jonhnathan Ribeiro, oscd.community
10date: 2020-01-12
11modified: 2023-02-11
12tags:
13 - attack.execution
14 - attack.t1059.003
15 - attack.t1059.005
16 - attack.t1059.007
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\cmd.exe'
23 - OriginalFileName: 'Cmd.Exe'
24 selection_cli:
25 CommandLine|contains|all:
26 - '/q'
27 - '/c'
28 - 'chcp'
29 condition: all of selection_*
30fields:
31 - CommandLine
32 - ParentCommandLine
33falsepositives:
34 - Unknown
35level: high
References
-
Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.
Read More -
zerosum0x0's Koadic. Contribute to offsecginger/koadic development by creating an account on GitHub.
Read More -
In this post, we will be examining the core functionality of Koadic – an open source tool created by zerosum0x0. Koadic is a post-exploitation toolkit that provides remote access, as well as many different modules covering enumeration, pivoting, and escalation. The server-side component is written in Python and the agent-side components are written in Javascript/VBscript.Koadic […]
Read More
Related rules
- File Was Not Allowed To Run
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact