title: Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: experimental
description: Detects command line parameters used by Koadic hack tool
references:
    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
    - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955
    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
tags:
    - attack.execution
    - attack.t1170
    - attack.t1218.005
date: 2020/01/12
author: wagga
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine:
            - '*cmd.exe* /q /c chcp *'
    condition: selection1
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Pentest
level: high