Magic Unicorn – PowerShell Downgrade Attack and Exploitation tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and injects shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Table of Content

  • Powershell Attack Instruction
  • HTA Attack Instruction
  • Macro Attack Instruction

 Download the unicorn from git repository:

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.


Powershell Attack Instructions

First we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.


Now this will give us two files. One is a text file named “powershell_attack.txt” which has the powershell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom metasploit file that will automatically set all the parameters and start a listener.

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get reverse connection of his machine.

Now let’s set up a listener first. We need to run the metasploit “unicorn.rc” file using the following command:

We see a session was obtained in the meterpreter. It was because the powershell code was executed in the victim’s command shell. It would have looked something like this:

HTA Attack Instructions

For our next attack, we will be using an hta payload.

Now convert your IP in bitly URL form and send to victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.

So, we set up a metasploit listener next using the RC file and wait for user to click on the hta payload.

As soon as he hit the file, we received a meterpreter session. We checked the system info using sysinfo command.


Macro Attack Instructions

Now for the third and final payload for this tutorial, we set hands on our beloved macros.


This again creates a text file and an rc file with the same name and on the same destination.

To enable developed mode there are various methods depending upon your version of MS office.

As for a generic approach, let’s say you enabled it like:

File->properties->ribbons->developer mode

You will see an extra tab labeled developer once it gets enabled.

As for the attack, go to developer->macros and create a new macro named “Auto_Open”

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!

Use sysinfo double check our successful exploitation using unicorn!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Related Posts Plugin for WordPress, Blogger...

Magic Unicorn – PowerShell Downgrade Attack and Exploitation tool Magic Unicorn – PowerShell Downgrade Attack and Exploitation tool Reviewed by Dump3R H3id3gg3R on 11:28 AM Rating: 5