RiskSense Analysts to Unpack Koadic Hacking Toolkit at Black Hat USA ’19

See how RiskSense can help you to PREDICT, PRIORITIZE, and TAKE CONTROL Against your most dangerous vulnerability and risk findings
See how RiskSense can help you to PREDICT, PRIORITIZE, and TAKE CONTROL Against your most dangerous vulnerability and risk findings

RiskSense, a pioneering risk-based vulnerability management and prioritization, and a Platinum Award Winner in the 2018 ‘ASTORS’ Homeland Security Awards Program returning to compete in the 2019 ‘ASTORS’ Awards Program, has announced that senior security analysts and penetration testing experts Sean Dillon and Nate Caroe will present a deep dive session titled on new features added to the Koadic white hat hacking tool at Black Hat USA 2019 in Las Vegas.

(Its time for the Black Hat USA 2019 – August 2-8, 2019. Mandalay Bay, Las Vegas. Courtesy of Informa Tech and YouTube.)

Koadic: Two Years of Mischief


  • Sean Dillon (aka @zerosum0x0), senior security analyst at RiskSense, has years of experience in penetration testing, exploit reverse engineering and malware research especially around the Microsoft Windows kernel.

  • Sean is a co-author of the ETERNALBLUE and other MS17-010 Metasploit exploit modules. He was the first to publish a reverse engineering analysis of the DOUBLEPULSAR SMB backdoor.

  • Sean has taught workshops on Windows internals at DEF CON and to government agencies.

  • Nate Caroe (@The_Naterz) is a Senior Security Analyst at RiskSense.

  • He is one of the initial contributors and lead maintainer of Koadic.

  • He has performed extensive exploration into exploitation and tool automation.

Courtesy of Black Hat USA
Courtesy of Black Hat USA


  • Koadic, a post-exploitation toolkit that leverages the Windows Script Host to provide all the features of a remote access trojan (RAT), was first released by Sean at DEF CON in 2017, and has since seen two years of development.

  • Koadic is robust enough to have been chosen in nation-state cyberespionage campaigns by APT favorites such as Fancy Bear, Stone Panda, and MuddyWater.

  • It has been the tool of choice on the road to domain admin for many pentests, especially in environments where PowerShell and filesystems are heavily audited by antivirus.

  • In this Black Hat USA presentation, Sean and Nate will reveal new capabilities added to Koadic since its introduction two years ago, including the ability to extract information and intelligence about a targeted Windows environment, scrape user credentials more efficiently, and better navigate a network.

    • New payloads have been added since release, such as Squiblytwo WMIC.exe XSL files (discovered by SubTee and Mattifestation) and Bitsadmin.exe transfer jobs.

Courtesy of Black Hat USA
Courtesy of Black Hat USA
    • Existing payloads have been upgraded to include obfuscation and antivirus evasion.

    • Several new implants have been added, including UAC bypasses via slui, fodhelper, compmgmtlauncher, and compdefaults.

    • A loot finder module automates the process of finding files which may contain sensitive data.

    • Persistence is now available via registry autoruns, WMI, and scheduled tasks.

    • “One shot” stagers now allow an implant to be run immediately on a zombies first call home.

    • A new credential storage feature has been added, transforming Mimikatz outputs acquired into a readily searchable format.

    • A full fledged API is also available, allowing all available functionality of the toolkit to be automated through HTTP interactions.

    • There are innumerable bug fixes, improvements to reliability, and additional stealth since the initial release, with new features being added regularly.

  • Sean and Nate will also discuss best practices on how to use the tool for discovering and remediating security vulnerabilities in Windows systems to protect them from future attacks.


  • Thursday, August 8

  • 1:00pm-2:20pm

  • Track: Malware Offense

  • Session Type: Arsenal


  • Black Hat USA 2019

  • Business Hall (Oceanside), Arsenal Station 10

  • Mandalay Bay | Las Vegas

C-Suite Leaders Share their Expertise with Pioneer in Risk-based Vulnerability Management and Prioritization

Additionally, five leading chief IT security executives recently joined RiskSense’s new Technology Advisory Board, to bring a unique perspective on security, privacy and risk management to the Board.

Srinivas Mukkamala, , CEO of RiskSense
Srinivas Mukkamala, , CEO of RiskSense

“Each of our advisory board members are highly respected practitioners, thought leaders and advocates that have made significant contributions to advance IT security over the course of their careers,” commented Dr. Srinivas Mukkamala, co-founder and CEO of RiskSense on the company’s new Technology Advisory Board.

“Their hands-on experience, expertise, and insights will be invaluable in helping RiskSense continue to push the boundaries of product innovation for security vulnerability risk management, while ensuring we are addressing the top priorities of Chief Information Security Officers.”

RiskSense Technology Advisory Board Members

Macy Dennis, Chief Security Officer (CSO) for EVOTEK,

  • Dennis is also founder and Chairman of the Board of the San Diego CISO Round Table, an ecosystem for CISOs.

  • He serves on the California Governor’s Cyber Taskforce, Cyber Center of Excellence and Security Advisory Alliance, and was nominated for the National Counterintelligence Award. Previously, he was an Executive Director in the Office of the CISO at Optiv, CISO at Kratos Defense and CISO at Amylin Pharmaceuticals.

  • He has also held security leadership roles at American Express, Trimble Navigation, Echostar, and Winstar Wireless.

Joel Fulton

Joel Fulton, Ph.D., Chief Information Security Officer (CISO) for Splunk 

  • Fulton is responsible for developing, implementing and overseeing Splunk’s enterprise security and risk management program to ensure the integrity, confidentiality and availability of information owned, controlled or processed by Splunk products.

  • Prior to Splunk, Joel held security leadership positions at Google, Symantec, Starbucks, and Boeing.

  • He is a recognized expert and frequent keynote speaker on insider threats, AI/machine learning and cybersecurity, pragmatic risk management, and global security management.

Shaun Khalfan
Shaun Khalfan

Shaun Khalfan, Vice President, Information Security at Federal Home Loan Mortgage Corporation (Freddie Mac) 

  • Khalfan heads the information security program and strategy, including security architecture, operations, and engineering to manage information security risk across the company.

  • Previously, Shaun served as CISO for U.S. Customs and Border Protection, and was Director of Cybersecurity for the Department of the Navy Chief Information Officer.

  • He has held cybersecurity leadership roles at the U.S. Department of Defense, the U.S Navy, and the U.S. Army.

  • Shaun is a fellow with the American Council for Technology and an adjunct professor at Carnegie Mellon University.

Jason Lish

Jason Lish, Chief Security, Privacy and Data Officer for Advisor Group,

  • Advisor Group is one of the largest networks of independent wealth management firms in the United States.

  • Jason has over 20 years of experience managing global IT departments for Fortune 100 and 500 companies including Charles Schwab, where he was Senior Vice President, Security Technology & Operations, and Honeywell International where he led global cyber security strategy and operations.

  • He also served as Executive Vice President, CSO and CIO for Alight Solutions, a provider of health, wealth and HR solutions.

Andrew Stone
Andrew Stone

Andrew Stone, Chief Technology Officer (CTO) Americas for Pure Storage (PSTG: NYSE),

  • Andrew supports the development of next generation data storage and protection technologies.

  • Previously he served as U.S. and Global CTO and Chief Security Technology Officer for PricewaterhouseCoopers (PwC), Global Head of Innovation, Technology & Security Architecture and Chief Security Technology Officer for Zurich Insurance Company, and CISO for Farmers Insurance Group.


As a 2019 ‘ASTORS’ Homeland Security Awards Program Competitor, RiskSense will be competing against the industry’s leading providers of Vulnerability Management Solutions.

The 2019 ‘ASTORS’ Homeland Security Awards Program is Proudly Sponsored by ATI SystemsAttivo NetworksAutomatic Systems, and Desktop Alert.

RiskSense provides vulnerability management and prioritization to measure and control cybersecurity risk.

RiskSense logoThe cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness.

Learn More…

RiskSense Platform Now Addresses Security & IT Operations Gaps (Video)