{
	"id": "7003f1b0-a2f1-4c89-b41f-3e33932a19b0",
	"created_at": "2026-04-06T00:18:36.929375Z",
	"updated_at": "2026-04-10T03:20:30.835055Z",
	"deleted_at": null,
	"sha1_hash": "5c5fba1b4ba7c7a6abbae3bc6507b94be06e8593",
	"title": "GitHub - offsecginger/koadic: zerosum0x0's Koadic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80216,
	"plain_text": "GitHub - offsecginger/koadic: zerosum0x0's Koadic\r\nBy offsecginger\r\nArchived: 2026-04-05 16:34:51 UTC\r\nORIGINALLY DEVELOPED BY ZEROSUM0X0\r\n(https://twitter.com/zerosum0x0)\r\nKoadic, or COM Command \u0026 Control, is a Windows post-exploitation rootkit similar to other penetration testing\r\ntools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations\r\nusing Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default\r\ninstallation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through\r\nWindows 10.\r\nIt is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically\r\nsecure communications over SSL and TLS (depending on what the victim OS has enabled).\r\nRecent versions Koadic are developed on Python 3, it is not a priority to have Python 2 support (End of Life).\r\nInstall\r\ngit clone https://github.com/zerosum0x0/koadic.git\r\ncd koadic\r\npip3 install -r requirements.txt\r\n./koadic\r\nDemo\r\nhttps://github.com/offsecginger/koadic\r\nPage 1 of 5\n\n1. Hooks a zombie\r\n2. Elevates integrity (UAC Bypass)\r\n3. Dumps SAM/SECURITY hive for passwords\r\n4. Scans local network for open SMB\r\n5. Pivots to another machine\r\nStagers\r\nStagers hook target zombies and allow you to use implants.\r\nModule Description\r\nstager/js/mshta serves payloads in memory using MSHTA.exe HTML Applications\r\nstager/js/regsvr serves payloads in memory using regsvr32.exe COM+ scriptlets\r\nstager/js/rundll32_js serves payloads in memory using rundll32.exe\r\nstager/js/disk serves payloads using files on disk\r\nstager/js/wmic serves payloads in memory using WMIC\r\nstager/js/bitsadmin transfers a .wsf payload containing JScript over a Bitsadmin job and executes it\r\nImplants\r\nImplants start jobs on zombies.\r\nhttps://github.com/offsecginger/koadic\r\nPage 2 of 5\n\nModule Description\r\nimplant/elevate/bypassuac_compdefaults Bypass UAC via registry hijack for ComputerDefaults.exe.\r\nimplant/elevate/bypassuac_compmgmtlauncher\r\nBypass UAC via registry hijack for\r\nCompMgmtLauncher.exe.\r\nimplant/elevate/bypassuac_eventvwr\r\nUses enigma0x3's eventvwr.exe exploit to bypass UAC on\r\nWindows 7, 8, and 10.\r\nimplant/elevate/bypassuac_fodhelper Bypass UAC via registry hijack for fodhelper.exe.\r\nimplant/elevate/bypassuac_sdclt\r\nUses enigma0x3's sdclt.exe exploit to bypass UAC on\r\nWindows 10.\r\nimplant/elevate/bypassuac_slui Bypass UAC via registry hijack for slui.exe.\r\nimplant/elevate/system_createservice\r\nElevate from administrative session to SYSTEM via\r\nSC.exe.\r\nimplant/fun/zombie\r\nMaxes volume and opens The Cranberries YouTube in a\r\nhidden window.\r\nimplant/fun/voice Plays a message over text-to-speech.\r\nimplant/gather/clipboard Retrieves the current content of the user clipboard.\r\nimplant/gather/comsvcs_lsass\r\nUtilizes comsvcs.dll to create a MiniDump of LSASS,\r\nparses with pypykatz.\r\nimplant/gather/enum_domain_info Retrieve information about the Windows domain.\r\nimplant/gather/hashdump_dc Domain controller hashes from the NTDS.dit file.\r\nimplant/gather/hashdump_sam Retrieves hashed passwords from the SAM hive.\r\nimplant/gather/loot_finder Finds loot on the target box.\r\nimplant/gather/user_hunter\r\nLocate users logged on to domain computers (using\r\nDynamic Wrapper X).\r\nimplant/inject/mimikatz_dotnet2js\r\nInjects a reflective-loaded DLL to run powerkatz.dll\r\n(@tirannido DotNetToJS).\r\nimplant/inject/mimikatz_dynwrapx\r\nInjects a reflective-loaded DLL to run powerkatz.dll (using\r\nDynamic Wrapper X).\r\nimplant/inject/mimikatz_tashlib\r\nExecutes arbitrary shellcode using the TashLib COM\r\nobject. (Work in Progress!)\r\nhttps://github.com/offsecginger/koadic\r\nPage 3 of 5\n\nModule Description\r\nimplant/inject/shellcode_dotnet2js\r\nExecutes arbitrary shellcode using the DotNet2JS\r\ntechnique. Inject shellcode into a host process via\r\ncreateremotethread as a new thread (thanks psmitty7373!).\r\nimplant/inject/shellcode_dynwrapx\r\nExecutes arbitrary shellcode using the Dynamic Wrapper X\r\nCOM object.\r\nimplant/inject/shellcode_excel Runs arbitrary shellcode payload (if Excel is installed).\r\nimplant/manage/enable_rdesktop Enables remote desktop on the target.\r\nimplant/manage/exec_cmd\r\nRun an arbitrary command on the target, and optionally\r\nreceive the output.\r\nimplant/persist/add_user Adds a either a local or domain user.\r\nimplant/persist/registry Adds a Koadic stager payload in the registry.\r\nimplant/persist/schtasks Establishes persistence via a scheduled task.\r\nimplant/persist/wmi Creates persistence using a WMI subscription.\r\nimplant/phishing/password_box Prompt a user to enter their password.\r\nimplant/pivot/exec_psexec\r\nRun a command on another machine using psexec from\r\nsysinternals.\r\nimplant/pivot/exec_wmi Executes a command on another system.\r\nimplant/pivot/stage_wmi Hook a zombie on another machine using WMI.\r\nimplant/scan/tcp\r\nUses HTTP to scan open TCP ports on the target zombie\r\nLAN.\r\nimplant/utils/download_file Downloads a file from the target zombie.\r\nimplant/utils/multi_module Run a number of implants in succession.\r\nimplant/utils/upload_file\r\nUploads a file from the listening server to the target\r\nzombies.\r\nFuture Improvements (a.k.a. Koadic 2.0)\r\nRewrite and redesign the server stack to be cleaner.\r\nActual VBScript support.\r\nDisclaimer\r\nhttps://github.com/offsecginger/koadic\r\nPage 4 of 5\n\nCode samples are provided for educational purposes. Adequate defenses can only be built by researching attack\r\ntechniques available to malicious actors. Using this code against target systems without prior permission is illegal\r\nin most jurisdictions. The authors are not liable for any damages from misuse of this information or code.\r\nCreators\r\n@Aleph___Naught\r\n@The_Naterz\r\n@JennaMagius\r\n@zerosum0x0\r\nContributors\r\n@vvalien1\r\nfbctf\r\ncclaus\r\nArno0x\r\ndelirious-lettuce\r\npsmitty7373\r\n@ForensicITGuy\r\nAcknowledgements\r\nSpecial thanks to research done by the following individuals:\r\n@subTee\r\n@enigma0x3\r\n@tiraniddo\r\n@harmj0y\r\n@gentilkiwi\r\n@mattifestation\r\nclymb3r\r\nSource: https://github.com/offsecginger/koadic\r\nhttps://github.com/offsecginger/koadic\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/offsecginger/koadic"
	],
	"report_names": [
		"koadic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434716,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5c5fba1b4ba7c7a6abbae3bc6507b94be06e8593.pdf",
		"text": "https://archive.orkl.eu/5c5fba1b4ba7c7a6abbae3bc6507b94be06e8593.txt",
		"img": "https://archive.orkl.eu/5c5fba1b4ba7c7a6abbae3bc6507b94be06e8593.jpg"
	}
}