BSidesLV 2017 has ended
Back To Schedule
Tuesday, July 25 • 14:00 - 14:55
Koadic C3 - Windows COM Command & Control Framework

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

An in-depth view of default COM objects will be provided. COM is a fairly underexplored, large attack surface in Windows. Post exploitation with PowerShell has grown in popularity in recent years, and seeing what can be done with just the basic Windows Script Host is an interesting exploration. We will also share lots of weird Windows scripting quirks with interesting workarounds we discovered during the course of development.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has available). We also found numerous ways to "fork to shellcode" in an environment which traditionally does not provide such capabilities.

Koadic also attempts to be compatible with both Python 2 and Python 3. Koadic is used via a slick shell, with CLI improvements that we also committed into Metasploit. Koadic's code will be released under the Apache 2.0 license. It consolidates techniques from original research as well as amazing previous research by @subTee, @enigma0x3, and @tiraniddo.

avatar for Aleph _Naught

Aleph _Naught

Senior Security Researcher, RiskSense
Zach Harding is a senior security analyst at RiskSense, Inc. Zach formerly served in the US Army as a combat medic. He, along with Sean Dillon and others, improved leaked NSA code to release the "ExtraBacon 2.0" Cisco ASA exploit package. He is an avid tester of every penetration... Read More →
avatar for zerosum0x0


Senior Security REsearcher, RiskSense, Inc.
Sean Dillon is a senior security analyst at RiskSense, Inc. He has an established research focus on attacking the Windows kernel, and was the first to reverse engineer the DOUBLEPULSAR SMB backdoor. He is a co-author of the ETERNALBLUE Metasploit module and other contributions to... Read More →

Tuesday July 25, 2017 14:00 - 14:55 PDT
Breaking Ground (Florentine A) 255 E Flamingo Rd, Las Vegas, NV 89169