Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
I thought it could be interesting to add a detection for the presence of this automation. I investigated a bit and right now this seems a novel and not probably very common technique...but that's why I think it make sense to add it :)
I didn't found any MITRE classification for it.
I investigated and it looks like to most consistent way to understand if any automation is running, seems to be checking the presence of local logs. Since there are a lot of way to schedule Flows (with standalone system, with Azure Apps...), the presence of logs is, at least right now, the best way to check for it:
it allows you to understand if Power Automate is active (it should not if you are no using it)
it allows you to review the activities
So far the output is this:
Hostname : NB-MYPC
Technique : Power Automate
Classification : Uncatalogued Technique N.8
Path : C:\ProgramData\Microsoft\Power Automate\Logs
Value : 2022-08-18-10-57-42-452-UpdateService.log
Access Gained : System/User
Note : 'Power Automate' is an RPA (Robotic Process Automation) made available by Microsoft. It can runs on
standalone system or through Azure Tenants. Given the high number of functions available and the
'legit source' of these executables and processes, it could be used for malicious intent as well.
The presence of the logs means that the system is in some way running these flows. Review if they
are legit or not (last log is shown in Value).
Reference : https://github.com/mbrg/defcon30/tree/main/No_Code_Malware
Signature : Unknown error occurred
IsBuiltinBinary : False
IsLolbin : False
PS
Just as info: I noticed that the Value set to something not executable drops some lines of output in STDERR. This does not happens only for this new check, but also for existing ones. Just to let you know. :-)
Hey.
I saw this interesting presentation about the possible misuse of Power Automate in order to gain persistence and deliver malicious content: https://github.com/mbrg/defcon30/tree/main/No_Code_Malware
I thought it could be interesting to add a detection for the presence of this automation. I investigated a bit and right now this seems a novel and not probably very common technique...but that's why I think it make sense to add it :) I didn't found any MITRE classification for it.
I investigated and it looks like to most consistent way to understand if any automation is running, seems to be checking the presence of local logs. Since there are a lot of way to schedule
Flows
(with standalone system, with Azure Apps...), the presence of logs is, at least right now, the best way to check for it:So far the output is this:
PS Just as info: I noticed that the
Value
set to something not executable drops some lines of output in STDERR. This does not happens only for this new check, but also for existing ones. Just to let you know. :-)