title: Koadic Execution
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020/01/12
description: Detects command line parameters used by Koadic hack tool
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\cmd.exe'
  SELECTION_3:
    CommandLine: '*/q*'
  SELECTION_4:
    CommandLine: '*/c*'
  SELECTION_5:
    CommandLine: '*chcp*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Pentest
fields:
- CommandLine
- ParentCommandLine
id: 5cddf373-ef00-4112-ad72-960ac29bac34
level: high
logsource:
  category: process_creation
  product: windows
modified: 2020/11/28
references:
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
status: experimental
tags:
- attack.execution
- attack.t1059.003
- attack.t1059
- attack.t1059.005
- attack.t1059.007
- attack.t1064
ruletype: SIGMA