Power Pwn: An offensive and defensive security toolset for Microsoft 365 Power Platform

Power Pwn

Power Pwn is an offensive and defensive security toolset for Microsoft Power Platform.

Disclaimer: These materials are presented from an attacker’s perspective to raise awareness of the risks of underestimating the security impact of No Code/Low Code. No Code/Low Code is excellent.

Module

• Copilot Connector and Automator: Allow interaction with Copilot for Microsoft 365 through the WebSocket messages and undocumented APIs. This module implements multiple capabilities than can be easily extended to implement any process that requires interaction with the Copilot.
• Copilot Interactive Chat: Interactive chat with Copilot M365 through the terminal.
• Copilot M365 ‐ Dump: Data dump is a tool for exploring information in Microsoft 365 from a Red Team perspective.
  1. Extract emails contents
  2. Sharepoint site content enumeration and extraction
  3. Password and credentials harvesting
• Copilot M365 ‐ Whoami: Extracts useful information about the current user such as:
  1. Name, title, email, manager etc.
  2. Accessible documents
  3. Weekly schedule
  4. Accessible Sharepoint sites
  5. Access to financial data
  6. Emails
  7. Collaborators and Contacts
• Copilot Studio Hunter ‐ Deep Scan: Conducts deep scanning to find open Copilot Studio bots based on domains or tenant IDs using an automation which utilizes different Copilot Studio & Power Platform mechanics and the Power Platform API, FFUF and Puppeteer.
• Copilot Studio Hunter ‐ Enum: Utilizes open-source intelligence to compile lists of environment and tenant IDs from the Power Platform API subdomains to be used by the other Copilot Studio scanning sub-modules. Uses amass.
• Install a backdoor: Maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands.
• Internal phishing: Set up an internal phishing application on a Microsoft-owned domains which will automatically authenticate as users browse to your link.
• No‐Code Malware: Repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation.
• Power Pages: Conducts a scan to test and alert of any anonymous access to dataverse tables via power pages, either via the apis or odata feeds.
• PowerDump:powerdump is a tool for exploring information in Microsoft PowerPlatform from a Red Team perspective. In short, this is what it does:
  • Generates access tokens for fetching available resources in Microsoft PowerApps.
  • Uses HTTP calls in Python to dump all available information in the Microsoft PowerPlatform into a local directory.
  • Generates access tokens for performing advanced actions on the discovered resources.
  • Provides a basic GUI for presenting the collected resources and data.

How to set up your power-pwn cloud account

Set up a malicious Microsoft tenant

1. Set up your free Microsoft tenant by following Microsoft guidelines

   

2. Create a malicious user account and assign it a Power platform administrator role. The admin role isn’t necessary, it’s just convenient.

   

3. On a private browser tab

   1. Go to https://flow.microsoft.com and log in with the malicious user. Follow through the sign-in process to initiate a Power Automate trial license.

   2. Follow the same process with https://make.powerapps.com to initiate a Power Apps trial license.

4. Create a Service Principal by following Microsoft guidelines and note the tenantId, applicationId, and secret.

Infect a test victim machines

1. Infect a test machine by following the How to infect a victim machine guide.

2. Verify that the machine has been onboarded

   1. Log into https://flow.microsoft.com as the malicious user

   2. Click Go to Monitor and then Machines and verify that the test victim machine is there

   

Upload pwntoso to your Power Automate cloud environment

1. Log into https://flow.microsoft.com with the malicious user.

2. Go to Solutions and click Import solution

   

3. Zip the content of pwntoso_1_0_0_1 and select it when asked to provide a solution file. Follow the guided process to completion.

   1. When asked to provide a connection, follow the guided process to create a new machine connection. Use the test victim machine credentials.

4. Go to My flows and search for Endpoint

   

   Click on Edit and then on When an HTTP request is received and copy the URL under HTTP POST URL

   

5. Note the HTTP Post URL for use with the Python module.

Use