search

last-byte / PersistenceSniper

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
Other
1.83k stars 180 forks source link

Power Automate detection added #5

Closed cecio closed 1 year ago

cecio commented 1 year ago

Hey.

I saw this interesting presentation about the possible misuse of Power Automate in order to gain persistence and deliver malicious content: https://github.com/mbrg/defcon30/tree/main/No_Code_Malware

I thought it could be interesting to add a detection for the presence of this automation. I investigated a bit and right now this seems a novel and not probably very common technique...but that's why I think it make sense to add it :) I didn't found any MITRE classification for it.

I investigated and it looks like to most consistent way to understand if any automation is running, seems to be checking the presence of local logs. Since there are a lot of way to schedule Flows (with standalone system, with Azure Apps...), the presence of logs is, at least right now, the best way to check for it:

So far the output is this:

Hostname        : NB-MYPC
Technique       : Power Automate
Classification  : Uncatalogued Technique N.8
Path            : C:\ProgramData\Microsoft\Power Automate\Logs
Value           : 2022-08-18-10-57-42-452-UpdateService.log
Access Gained   : System/User
Note            : 'Power Automate' is an RPA (Robotic Process Automation) made available by Microsoft. It can runs on
                  standalone system or through Azure Tenants. Given the high number of functions available and the
                  'legit source' of these executables and processes, it could be used for malicious intent as well.
                  The presence of the logs means that the system is in some way running these flows. Review if they
                  are legit or not (last log is shown in Value).
Reference       : https://github.com/mbrg/defcon30/tree/main/No_Code_Malware
Signature       : Unknown error occurred
IsBuiltinBinary : False
IsLolbin        : False

PS Just as info: I noticed that the Value set to something not executable drops some lines of output in STDERR. This does not happens only for this new check, but also for existing ones. Just to let you know. :-)

last-byte commented 1 year ago

Hey there! I’ll take a look at the PR in the following days and merge it in the dev branch if everything’s fine! Thank you!