Skip to Main Content
March 23, 2018

Magic Unicorn v3.0 Released

Written by David Kennedy
TrustedSec is proud to announce the release of Magic Unicorn v3. This release incorporates one of the largest additions to Unicorn in three years. This version adds several enhancements including support for Cobalt Strike beacon into the PowerShell evasion framework built into Unicorn. In addition, Unicorn now supports your own shellcode to be inserted into all the various attacks including the PowerShell attack, HTA, and Macro attack vectors.
To use the new Cobalt Strike functionality, you will need to export a Cobalt Strike payload in the CS (C#) format for Unicorn to properly format it. Once it is there, point unicorn to the appropriate file:
python unicorn.py cobalt_strike_file.cs cs
This will generate an obfuscated PowerShell one liner.
There are some caveats to this. Since Cobalt Strike payloads are much larger, it is above the 8190 character size limit from cmd.exe. Good news is PowerShell uses USHORT, so the size limit is 32767:
typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
} 
UNICODE_STRING;
What that means is that you can use the PowerShell one liner on anything that can directly run powershell.exe. So, you can do this from run, or through WSCRIPT.SHELL or anywhere else (directly from ISE, PowerShell interpreter, etc.). You cannot run it directly from cmd.exe (You should not be doing this anyway as it will often be caught by anti-virus). Once you run this command, it will export the files to the same folder as powershell_attack.txt with your code. You can also run the same command for both the HTA command and the Macro command. Both attack vectors have been drastically improved in this version and have removed all cmd.exe calls. They now leverage use purely WSCRIPT.SHELL (also USHORT w00t).
python unicorn cobalt_strike_file.cs cs hta
This will generate an obfuscated unicorn HTA.
python unicorn cobalt_strike_file.cs cs macro
This will generate all the files you need for a Unicorn based Macro payload. In addition to Cobalt Strike payloads, you can now insert any shellcode you want into the Unicorn framework. It needs to be in a 0x00 format, for example, 0x00,0x00,0x00,0x00 type format for the file. To use your own shellcode:
python unicorn.py proper_formatted_shellcode.txt shellcode
Same thing goes as CS, just append shellcode hta and shellcode macro to do an HTA or Macro attack vector. In addition to the aforementioned features, there's been a number of other enhancements on obfuscation, randomization, and non-predictability. Enjoy! To download Unicorn, visit our GitHub site here.