If you have been wondering why many PowerShell based shells haven’t been working, you can thank Windows’ AMSI. If you still need to use PowerShell based shells, check out the latest version of Trusted Sec’s Magic Unicorn tool.
According to Microsoft, the Antimalware Scan Interface (AMSI) is an interface that “provides enhanced malware protection for users and their data, applications, and workloads”. A newer piece to the Anti-Virus bypass cat and mouse game. Just as there is with regular anti-virus, there has been an almost constant battle between AMSI and utilities to bypass its ability to catch and block PowerShell based remote shells.
The TrustedSec team has been very active in updating their “Magic Unicorn” PowerShell tool to evade AV and AMSI, and this is evident in their latest Unicorn update.
Installation and using Magic Unicorn is very simple in Kali Linux:
- git clone https://github.com/trustedsec/unicorn /unicorn
Then change to the unicorn directory and run it.
- cd /unicorn
When you run Magic Unicorn, you are given a complete set of usage examples. More information is available on the GitHub site, so I am not going to discuss tool usage. Though generated payloads can be found in the /unicorn directory.
The big question, does it work?
That would be a yes:
Best defenses against attacks like this is to be very leery of e-mail attachments & suspicious links. Protect physical access to your computers. Disable or remove old PowerShell versions. Enable PowerShell monitoring. Install all Windows & AV updates. Run a good network security program. Also, a good Network Security Monitoring system is always helpful in case the worse happens.
Check out the Magic Unicorn Github site for more information.