anavem.
K
Low RiskWindows
kodi.exeEXECUTABLE

Kodi Media Center - Entertainment Hub Analysis [2026]

Kodi is an open-source media center application. While primarily for entertainment, malicious add-ons can be used as attack vectors for malware distribution.

3viewsLast verified: Jan 18, 2025

Risk Summary

## Risk Summary | Factor | Assessment | |--------|------------| | Detection Difficulty | Low | | Abuse Potential | Medium | | Prevalence | Common | | Risk Score | 30/100 | Kodi is a legitimate media center that can be compromised through malicious third-party add-ons.

Overview

What is kodi.exe?

Kodi (formerly XBMC) is a free and open-source media player application developed by the XBMC/Kodi Foundation.

Key Characteristics

AttributeValue
File NameKodi.exe
DeveloperKodi Foundation
Digital SignatureXBMC Foundation
Typical Size100-200 MB
TypeMedia Center

Technical Details

PropertyDescription
Process TypeUser Application
Network ActivityMedia streaming, add-on downloads
PlatformCross-platform
ExtensionsAdd-ons (Python-based)

Kodi is highly extensible through add-ons, which is both a feature and a security concern.

Normal Behavior

Normal Behavior

Legitimate Usage Patterns

Kodi.exe  (Main application)
kodi.exe -p  (Portable mode)
kodi.exe --standalone  (Fullscreen mode)

Expected Characteristics

AspectExpected Behavior
Parent Processexplorer.exe
User ContextCurrent user
NetworkMedia sources, add-on repos
GPU UsageModerate (video playback)

Common Network Activity

DestinationPurpose
kodi.tvOfficial updates
Add-on repositoriesExtension downloads
Media sourcesStreaming content
Local networkDLNA/UPnP

Common Locations

C:\Program Files\Kodi\Kodi.exeC:\Program Files (x86)\Kodi\Kodi.exe

Suspicious Indicators

Suspicious Indicators

Red Flags

IndicatorConcern LevelDescription
Unknown add-on reposHighThird-party malicious sources
Python subprocessMediumAdd-on executing code
Unusual network trafficMediumNon-media connections
Crypto miningHighCryptominer add-ons

Malicious Add-on Indicators

Warning Signs:
- Add-ons from unknown repositories
- Add-ons requesting excessive permissions
- Unusual CPU usage during Kodi operation
- Network connections to mining pools
- Add-ons bundled with streaming boxes

Network Red Flags

PatternConcern
Mining pool connectionsCryptominer
Tor/proxy trafficHidden activity
Unusual portsC2 communication
Large data uploadsExfiltration

Abuse Techniques

Abuse Techniques

Malicious Add-ons

Add-on Attack Vector:
1. User installs third-party add-on repository
2. Malicious add-on downloaded from repo
3. Add-on executes Python code with user privileges
4. Malware installed via add-on
5. Persistence established

Cryptomining

Cryptominer Scenario:
1. Malicious Kodi repository added
2. "Media" add-on installed
3. Add-on downloads cryptominer
4. Miner runs during Kodi usage
5. CPU/GPU resources consumed

Botnet Participation

VectorMethod
Add-on dropperAdd-on installs RAT
Repo compromiseLegitimate repo hijacked
Pre-loaded devicesStreaming boxes with malware
Update mechanismMalicious update pushed

DDoS Participation

Botnet Scenario:
1. Malicious add-on includes bot code
2. Bot connects to C2 server
3. Receives DDoS commands
4. Participates in attacks
5. User unaware of activity

Detection Guidance

Detection Guidance

Sysmon Configuration

<RuleGroup name="Kodi Monitoring" groupRelation="or">
  <ProcessCreate onmatch="include">
    <ParentImage condition="end with">Kodi.exe</ParentImage>
    <Image condition="end with">python.exe</Image>
  </ProcessCreate>
  <NetworkConnect onmatch="include">
    <Image condition="contains">Kodi</Image>
  </NetworkConnect>
</RuleGroup>

Sigma Rule

title: Kodi Spawning Suspicious Process
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\Kodi.exe'
  suspicious_child:
    Image|endswith:
      - '\python.exe'
      - '\pythonw.exe'
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection and suspicious_child
  falsepositives:
    - Legitimate add-on scripts
  level: medium

KQL Query

// Kodi spawning processes
DeviceProcessEvents
| where InitiatingProcessFileName =~ "Kodi.exe"
| where FileName in~ ("python.exe", "cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

// Unusual Kodi network connections
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "Kodi.exe"
| where RemotePort in (4444, 5555, 6666, 8888)  // Common malware ports
| project Timestamp, DeviceName, RemoteIP, RemotePort

Remediation Steps

Remediation Steps

Add-on Audit

# List installed add-ons
$addonPath = "$env:APPDATA\Kodi\addons"
if (Test-Path $addonPath) {
    Get-ChildItem $addonPath -Directory | Select Name
}

# Check for suspicious Python scripts
Get-ChildItem "$env:APPDATA\Kodi" -Recurse -Filter "*.py" |
    Select FullName, LastWriteTime

Repository Review

Check Kodi Settings:
Settings → Add-ons → Manage dependencies
Settings → Add-ons → Check for updates
Review all installed repositories
Remove unknown/untrusted sources

Remediation

IssueAction
Malicious add-onRemove add-on and repo
CryptominerRemove, reset Kodi profile
BotnetFull system scan, rebuild
Unknown reposRemove and audit

Investigation Checklist

Investigation Checklist

Installation Analysis

  • Is Kodi officially installed?
  • Was it pre-installed on a device?
  • What version is running?

Add-on Audit

  • What add-ons are installed?
  • What repositories are configured?
  • Are there add-ons from unknown sources?
  • When were add-ons last updated?

Network Analysis

  • What hosts is Kodi connecting to?
  • Are there mining pool connections?
  • Is there unusual outbound traffic?
  • Are there connections to known bad IPs?

Process Analysis

  • Is Kodi spawning child processes?
  • Is Python being executed by Kodi?
  • What is CPU usage during Kodi operation?

MITRE ATT&CK Techniques

T1072 - Software Deployment Tools