Koadic is an open source post exploitation tool for red teamers, written in VBScript/JScript with a Python3 HTTPS-based C2 backend.
The implant side is fairly straightforward - Its persitance and elevation functionality uses hardcoded well-known and signatured methods, and almost all of its stagers get blocked by Windows Defender on Win 10. Nonetheless it has a decent following on Github, and has even been used by an APT crew in the past.
I was interested in doing a review of it, and noticed when hitting scanning a running C2 server, it would always return the following empty HTTP response:
HTTP/1.0 404 Not Found Server: Apache Date: Fri, 02 Aug 2019 03:43:28 GMT
Date header would change be the correct time, but besides that, a few things stand out when comparing this response
to one from a Typical real-world Apache Webserver:
- Apache servers typically return version information in the
Serverheader (although this can be configured)
- Apache servers return the
Dateheader above the
- Apache servers typically will also send more headers, such as
Searching Shodan for Koadic
Unfortunetly the Shodan API doesn’t allow us to specify header ordering, however we can still search for responses that contain:
HTTP/1.0 404 Not Found
Date(As that actual date will change, but this will cover the presence of the header)
- not any other header
The Final Shodan query looks like this:
"HTTP/1.0 404 Not Found" "Server: Apache" -"Content-Type" -"Content-Length" -"Connection" -"Expires" -"Access-Control" -"Set-Cookie" -"Content-Encoding" -"Charset" -"Transfer-Encoding"
Searching Shodan (as of January 2020) has surprising results:
Out of all of Shodan, only 28 results! And looking at a sampling of the results, a lot certainly look suspicious enough to be possible C2 servers:
- One had a sibling subdomain that was previouslly hostinng a a malicious hta document
- Investigating, I found out this was a koaded 1st stage
- One had mutliple ports open, pretending to be both
- One literally had
koadic.frin its TLS cert name
These results, combined with the low number of hits, gives me confidence this signature is correct.
As Koadic was created for legitimate red-teamers, it is unlikely any of these are actualy “the bad guys”.
But understanding what fingerprint a tool creates is usefull to help the blue team detect actualy bad uses of Koadic, as well as help the red teamers understand what footprint they may create.