Power Pwn: An offensive security toolset for Microsoft 365
Power Pwn
An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform.
Modules:
Copilot Connector and Automator
Allow interaction with Copilot for Microsoft 365 through the WebSocket messages and undocumented APIs.
This module implements multiple capabilities than can be easily extended to implement any process that requires interaction with the Copilot.
Implementation of Copilot M365 undocumented APIs and WebSocket.
This module is responsible for the actual communication with Copilot.
It handles the authentication using Puppeteer library, sends and receives messages through the WebSocket.
Copilot Interactive Chat
Interactive chat with Copilot M365 through the terminal.
Copilot M365 ‐ Dump
Data dump is a tool for exploring information in Microsoft 365 from a Red Team perspective.
- Extract emails contents
- Sharepoint site content enumeration and extraction
- Password and credentials harvesting
Copilot M365 ‐ Whoami
Extracts useful information about the current user such as:
- Name, title, email, manager etc.
- Accessible documents
- Weekly schedule
- Accessible Sharepoint sites
- Access to financial data
- Emails
- Collaborators and Contacts
and more
Modules: Copilot Studio Hunter ‐ Deep Scan
Conducts deep scanning to find open Copilot Studio bots based on domains or tenant IDs using an automation which utilizes different Copilot Studio & Power Platform mechanics and the Power Platform API, FFUF and Puppeteer.
Copilot Studio Hunter ‐ Enum
Utilizes open-source intelligence to compile lists of environment and tenant IDs from the Power Platform API subdomains to be used by the other Copilot Studio scanning sub-modules. Uses amass.
Install a backdoor
Maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands.
This capability was first presented at a DEFCON30 talk titled Low Code High Risk – Enterprise Domination via Low Code Abuse
Internal phishing
Set up an internal phishing application on a Microsoft-owned domains which will automatically authenticate as users browse to your link.
This capability was first presented at a DEFCON30 talk titled Low Code High Risk – Enterprise Domination via Low Code Abuse
No‐Code Malware
Repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation.
This capability was first presented at a DEFCON30 talk titled No-Code Malware – Windows 11 at Your Service
PowerDump
powerdump is a tool for exploring information in Microsoft PowerPlatform from a Red Team perspective. In short, this is what it does:
- Generates access tokens for fetching available resources in Microsoft PowerApps.
- Uses HTTP calls in Python to dump all available information in the Microsoft PowerPlatform into a local directory.
- Generates access tokens for performing advanced actions on the discovered resources.
- Provides a basic GUI for presenting the collected resources and data.
Spearphishing with Copilot M365
Automated spearphishing with Copilot M365.
Discovers the targets / victims, for each victim, it explores latest interactions with the compromised account or user, and crafts highly personalized emails to send to the targeted individuals or groups.
