Wolves in Windows Clothing: Weaponizing Trusted Services for Stealthy Malware

Presented at BSidesLV 2023, Aug. 9, 2023, 10:30 a.m. (Unknown duration).

Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going.. In this talk, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services. We will go behind the scenes exploring how this service works, what attack surface it exposes on machine and cloud, and how Microsoft managed to enable it without explicit user consent. We will demonstrate how Office cloud services can be harnessed to act as a C2 server making detection and attribution extremely difficult. Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.

Presenters:

  • Michael Bargury
    Michael Bargury is a security researcher passionate about all things related to cloud, SaaS and low-code security, and spends his time finding ways they could go wrong. He is the Co-Founder and CTO of Zenity, where he helps companies secure their low-code/no-code apps. In the past, he headed security product efforts at Azure focused on IoT, APIs and IaC. He also leads the OWASP low-code security project and writes about it on DarkReading. Michael is a regular speaker at RSAC, OWASP, BSides and DEFCON.

Links:

Similar Presentations: