title: Koadic Execution id: 5cddf373-ef00-4112-ad72-960ac29bac34 status: experimental description: Detects command line parameters used by Koadic hack tool references: - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/ - https://github.com/zerosum0x0/koadic/blob/master/data/stager/js/stdlib.js#L955 - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ tags: - attack.execution - attack.t1059.003 - attack.t1059 # an old one - attack.t1059.005 - attack.t1059.007 - attack.t1064 # an old one date: 2020/01/12 modified: 2020/09/01 author: wagga logsource: category: process_creation product: windows detection: selection1: CommandLine|contains: - 'cmd.exe* /q /c chcp ' condition: selection1 fields: - CommandLine - ParentCommandLine falsepositives: - Pentest level: high