AV & AMSI Bypass with Magic Unicorn

If you have been wondering why many PowerShell based shells haven’t been working, you can thank Windows’ AMSI. If you still need to use PowerShell based shells, check out the latest version of Trusted Sec’s Magic Unicorn tool.

According to Microsoft, the Antimalware Scan Interface (AMSI) is an interface that “provides enhanced malware protection for users and their data, applications, and workloads”. A newer piece to the Anti-Virus bypass cat and mouse game. Just as there is with regular anti-virus, there has been an almost constant battle between AMSI and utilities to bypass its ability to catch and block PowerShell based remote shells.

The TrustedSec team has been very active in updating their “Magic Unicorn” PowerShell tool to evade AV and AMSI, and this is evident in their latest Unicorn update.

Installation and using Magic Unicorn is very simple in Kali Linux:

Installing Magic Unicorn

Then change to the unicorn directory and run it.

  • cd /unicorn
  • ./unicorn.py

When you run Magic Unicorn, you are given a complete set of usage examples. More information is available on the GitHub site, so I am not going to discuss tool usage. Though generated payloads can be found in the /unicorn directory.

Magic Unicorn usage features

The big question, does it work?

That would be a yes:

Remote PowerShell shell with Magic Unicorn

Best defenses against attacks like this is to be very leery of e-mail attachments & suspicious links. Protect physical access to your computers. Disable or remove old PowerShell versions.  Enable PowerShell monitoring. Install all Windows & AV updates. Run a good network security program. Also, a good Network Security Monitoring system is always helpful in case the worse happens.

Check out the Magic Unicorn Github site for more information.

https://www.trustedsec.com/unicorn/

Advertisements

2 thoughts on “AV & AMSI Bypass with Magic Unicorn”

    1. About a week ago, yesterday and today. It bypasses AMSI just fine. It does seem that the latest Windows Defender AV update is picking up something in the payload, but I don’t use Windows Defender for AV.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.