We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

No-Code Malware - Windows 11 at Your Service

00:00

Formal Metadata

Title
No-Code Malware - Windows 11 at Your Service
Title of Series
Number of Parts
85
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going.. In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services. We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue. Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.
47
Gamma functionPoint cloudInformation securityPerspective (visual)CodeHacker (term)InternetworkingMalwareData managementPotenz <Mathematik>Enterprise architectureCloud computingOperator (mathematics)Endliche ModelltheorieWindowPotenz <Mathematik>Service (economics)SoftwareMereologyComputer wormDifferent (Kate Ryan album)Order (biology)Firewall (computing)Information securityFocus (optics)Connectivity (graph theory)MalwareEnterprise architecturePerspective (visual)Point cloudINTEGRALKeyboard shortcutData managementMultiplication signFunction (mathematics)CybersexFigurate numberLaptopMoment (mathematics)Communications protocolDDR SDRAMComputer animation
Potenz <Mathematik>Enterprise architectureMalwareRevision controlError messageComputer fontService (economics)Online helpGroup actionEmulatorDisintegrationServer (computing)Personal digital assistantDrag (physics)Traffic reportingKeyboard shortcutCoroutineChainMalwareComputing platformVirtual machineCASE <Informatik>Drag (physics)Enterprise architectureKeyboard shortcutComputer wormVirtualizationOrder (biology)Game theoryDrop (liquid)Basis <Mathematik>SoftwareMoment (mathematics)Self-organizationAsynchronous Transfer ModeMultiplication signSensitivity analysisBitDrill commandsINTEGRALOperator (mathematics)Focus (optics)Computer animation
WindowPerspective (visual)DDR SDRAMPotenz <Mathematik>Computer animation
MathematicsVideoconferencingOffice suiteService (economics)Connected spacePoint cloudSelf-organizationRobotMoment (mathematics)MiniDiscOperator (mathematics)Drag (physics)Cartesian coordinate systemDrop (liquid)WordComputer animation
Default (computer science)Integrated development environmentShared memoryCodeOffice suiteComputer wormWindowDifferent (Kate Ryan album)Computer architectureComputer animation
Point cloudService (economics)Potenz <Mathematik>Run time (program lifecycle phase)Virtual machineOffice suiteProgrammschleifeConvex hullBoundary value problemComputer networkRevision controlLocal GroupGroup actionComputer-generated imageryIntegrated development environmentPay televisionTask (computing)Asynchronous Transfer ModeSelf-organizationComputer architecturePoint cloudPotenz <Mathematik>Office suiteExtension (kinesiology)Focus (optics)Virtual machineUniform resource locatorWeb browserInformationComputer wormWindowTask (computing)Service (economics)SoftwareConnected spaceTerm (mathematics)Covering spaceBus (computing)Message passingTelecommunicationBoundary value problemDirection (geometry)Connectivity (graph theory)Operator (mathematics)LaptopElectronic mailing listMultiplication signQuicksortRight anglePublic-key cryptographyDiagramComputer animation
MalwareVirtual machineRevision controlLocal GroupGroup actionGraphics tabletPasswordDistribution (mathematics)Point cloudComputer wormLocal ringComputer wormOrder (biology)Image registrationMereologyOperator (mathematics)Electronic mailing listSystem administratorParallel portRevision controlMalwareLatent heatRight angleConsistencyVirtual machineData conversionPotenz <Mathematik>Self-organizationConnected spaceForm (programming)Scripting languageHacker (term)Office suiteElectronic program guidePlastikkarteCASE <Informatik>Point cloudWindowEndliche ModelltheorieHTTP cookieTheory
Variable (mathematics)Function (mathematics)Point cloudDistribution (mathematics)Computer wormOffice suiteService (economics)Virtual machinePotenz <Mathematik>Run time (program lifecycle phase)CodeCodeFunction (mathematics)Computer architectureDataflowContent (media)Keyboard shortcutWeb browserService (economics)MalwareWindowFunctional (mathematics)Dependent and independent variablesOperator (mathematics)Office suiteDrag (physics)EncryptionCodeMereologyScripting languageComputer wormLaptopTelecommunicationBuildingPrimitive (album)Drop (liquid)QuicksortPoint cloudSystem callMessage passingoutputComputer animation
CodeSoftware testingDataflowError messageAsynchronous Transfer ModeSynchronizationPoint cloudFlash memoryTask (computing)Directory serviceComputer animation
Point (geometry)Variable (mathematics)CodePhysical lawResultantPoint cloudLoginMultiplication signDataflowComputer animation
Variable (mathematics)Conditional probabilityAddress spaceComputer programWeb browserWebsiteGoogle ChromePoint cloudToken ringOpen setEmailVirtual machineWeb browserGastropod shellDemo (music)HTTP cookieToken ringComputer animation
Variable (mathematics)Menu (computing)Graphical user interfaceVacuumGroup actionComputer wormFermat's Last TheoremMereologyWeb browserRevision controlCategory of beingScripting languageUniform resource locatorXMLProgram flowchart
Web browserMalwarePotenz <Mathematik>Personal digital assistantError messageService (economics)Distribution (mathematics)CodeEnterprise architectureSelf-organizationGraphics tabletVirtual machineImage registrationLocal ringIntegrated development environmentPoint cloudAddress spaceOffice suitePotenz <Mathematik>Self-organizationScripting languageVirtual machineComputer wormFreewareRight angleError messagePrimitive (album)Operator (mathematics)Group actionMalwareAreaInformationNumberFunction (mathematics)MereologyParameter (computer programming)Moment (mathematics)Content (media)BlogComputer animation
Computer animation
Transcript: English(auto-generated)
Okay, so, hi everyone. So, you can probably judge from the title, but what we're gonna do today is we're gonna show how you can use Windows executables, service accounts, and cloud services to basically power your own model operation.
Shortly about me, I've been on cyber security for a long time now, we spent some time at, ah, sorry. Ha ha. Woo! Thanks. Thank you for that. So, I spent a bunch of time at Microsoft on APIs, IOT, cloud.
I've been doing local, no-code security for like three years now, which is weird because not many people are into it, but you will soon be, so that's cool. I started a company around 18 months ago called Zenily with folks that are sitting right here. We are focused on local, no-code security.
And again, first time at Defcon, very excited to be here, as you can probably hear. So, thank you for coming. By the way, this talk is gonna feature research from Ria Zilberberg, who's sitting right here, one of our researcher, so give him some love. Woo!
This one is important. Local, no-code is a cool thing. We are very much pro the movement. And this talk, I will try to give an attacker's perspective on that. The reason, of course, is to make sure that this is done in a responsible way. So, what you're gonna learn today,
use it to educate people around you, and let's see where it takes us. Okay, so I'm gonna start right now. When I say creating or running your own malware operation, there are a bunch of things I could mean, so let's figure out what exactly I'm meaning
that we're gonna do today. So, you have initial access to some victim machine. There's a lot of other things that you need to do around it in order to really call it a malware operation. You need to be able to, okay. So, you need to be able to go through a firewall. You need to be able to actually run malware on that machine
and be able to bypass the EDR. You need to be able to create command and control across that firewall and to exfiltrate data back to your, backwards outside of the org. You need to avoid detection by a bunch of enterprise tools that are out there in order to catch you.
And you need to remain persistent on the actual victim machine when they are obviously trying to kick you out. All of those things are a bunch of groundwork. So, what we're gonna do today is we're gonna show how, instead of having to do all of that yourself,
you can just focus on the initial access and on the last part, which is kind of having fun. And we're gonna try and figure out whether we can, how we can use existing services to take care of all of that ops for us. So, what, so, here's the service that we're going to use.
I'm not sure if you've heard about RPA. This is basically a technology that is out there in every major enterprise today. It's really everywhere. And the idea behind RPA is basically to take mundane processes that business users are doing, so copying and pasting through different softwares
that they have on their machine, and basically automating it. And the way that it gets automated is that the users are actually emulated. So, the user gets impersonated. They are copying the kind of the keyboard and the mouse clicks and then reiterating them. And that's the way that they're using the user's own identity.
And it's used to basically facilitate integration with old software that has no APIs, which makes it easier. So, RPA is built of three main components. The first one is an agent. It sits on somebody's laptop. And it emulates the user, as I've just mentioned. The second part is the controller,
which is able to reach out to the machine, send some payload, the payload gets executed, and then the output gets routed back. And there's a management portal which allows you to basically say, okay, here are all my agents, here's the payload I'm gonna send to each one of them. The key thing about this technology is that every part here is trusted.
And what do I mean by trusted? I mean trusted by the EDR, trusted by network security, trusted by the SOC team. So, on the agent side, there are executables that are signed by the vendors themselves. We'll see that in a moment. The communication, so all of the endpoints, all of the protocols, and the cloud services themselves.
And there are a bunch of vendors that are providing these RPA solutions that, as I mentioned, are everywhere in the enterprise. Today, as you've kind of realized from the talks title, we're gonna focus on Microsoft, and you'll find out why in a moment, but actually everything that I'm gonna show you today
is not specific to Microsoft, it's actually a problem, it's actually inherent in the way that RPA works. So, RPA can take care of all of the malware ops that I just talked about for us. So command and control, exfiltrating data outside of the org,
avoiding defense, persistency, cleanup, but it also will be able to give us much more. So handling errors, everything that's related to kind of engineering, updating those agents, being able to support any type of platform,
those are all things that the RPA vendors will do for us. So this is the living of the land attack, and we're gonna live off the land of RPA and specifically Microsoft RPA to do what we wanna do. Here's our agenda for today. So we covered the motivation, next up we're gonna drill down a bit more into what RPA is all about.
We'll focus on, we'll do a deep dive and understand how it works, then I will shift gears and show you specifically how do you take RPA and leverage it to your own malware operation, and we'll introduce a tool that will allow you to do that quickly, and don't worry, we'll also send you home with kind of a few things you can do to remain protected or protect your organization.
Okay, so in order to understand what RPA is, let's start off with a story. When I was a teenager, my friends and I used to play in a game called Tibia. Who knows what Tibia is? Raise your hand.
Okay. That's a weird game, weird MMORPG from a long time ago, where basically you level up your character, you play with other players, and you collaborate, but a lot of the actual time that you spend on that game
is actually doing things like fishing. So you need to improve your fishing skills. In order to do that, you basically go to a pond, and then you need to click. So you click, and you get some fish, and you click, and you get more fish, and more fish, and this is basically transforming clicks
and virtual worms into virtual fish. This is important for the game, but it is extremely boring. So of course, as a teenager, I wanted to take advantage of this, I wanted to basically be better than my friends and impress them, so I tried to find a creative solution
for this to work better. I started off with physical automation. I actually looked for a picture of this. I couldn't find any picture. I'm not sure why somebody in my family didn't take the picture. As you can imagine, this didn't work. So the book would fall over. I would wake up in the morning,
and things were not as I expected. So I had to find a better solution. And I actually went with automation, which was basically, there was software that allowed me to basically record my keyboard and my mouse, and then replay them.
So I had this setup where I walk around the pond, and I click on a bunch of fish, and when I wake up in the morning, I'm leveled up. So this is what it looks like. And I think you're seeing it. And basically, this made me the hero of my friends. So this was my first, the first moment I got some love across, became a bit popular.
And this is funny, because this is actually the basis of RPA, so the same technology that I used as a kid, like 20 years ago, is being used in the enterprise today to do very serious things.
So RPA, as a quick recap, it's about replacing copy and paste integration. It's a drag and drop builder, you'll see it in a moment. And it's used, the people that are building these RPA bots, they can be in IT, but they can also be business users. It emulates the user's own actions,
so it operates as the user with their own identity. There's no way to distinguish those clearly. And it runs on the user's machines. And on the use cases side, enterprises are really using it for serious things. So customer services, financial services, on-boarding and off-boarding HR. So this is touching business sensitive data.
Now we understand what, now that we understand what RPA is, let's drill down technically into how it works, and how, and that would also kind of lead us in the way that we're looking for with our malware op. So we want to use RPA for the malware operation.
And this is where we're gonna actually focus on Microsoft, and this is why. So Microsoft has released an RPA agent called Power Automate Desktop, and it is now baked into every Windows 11 machine. And by baked in I mean that if you take a fresh Windows machine, you'll search for Power Automate, it'll be there. It's also trusted by DDR, and trusted
by other ADRs as well. So that's why we're going to focus on that on Microsoft today. Let's start from the user's perspective. So this is a fresh Windows machine, Windows 11 machine. Searching for Power Automate, I immediately find this executable.
Let's see if this works. Okay. Okay, it works. So what I'm showing you here is a quick video
that is me setting up my connection with that RPA service. The first thing that I'm doing is actually plugging in my Office account, and the crucial thing here is that I could plug in any Office account. So in this example, I created a new organization, you'll see that in a moment, and I'm plugging in my credentials with that organization.
Once I plug in those credentials, I get to this drag and drop builder with a bunch of operations that are available for me. And then I'm going to create an Hello World application that basically writes Hello World to a file on disk. The crucial thing here is that this thing is synced to Office Cloud.
And it's synced to my cloud because I just logged in with my account. And so you'll see in a moment when I kind of finish off with the demonstration here that there's a bunch, so we're seeing it now, there are a bunch of, basically bots or processes that are available for me to pick and choose from. Those are all things that I set up previously
in my Office account. So this is what you just saw, when you plug in your credentials, your Office credentials, to this Windows executable, you get all of the different payloads or processes that you have
created in Office. This is how it looks like from an architecture perspective, so on one side you have Power Automate, the RPA agent, and the other side you have Office. One sits in on-prem and another in cloud, and the reason that I'm focusing on that is that Microsoft, of course, has to be deployed everywhere in large organizations, so they
need to figure out how, I mean, how is this working? They haven't asked for permission from anybody, right, it's already there. So what we're going to figure out right now, technically, is how is this communicating? So we'll focus first on the left side, which is actually the local side. Power Automate is not one executable, there are a bunch of those, there's one service
that's called Power Automate, it runs on the user's own account, and there's another service account that's being created, that you can see here, that runs with an executable that's called Machine Runtime, and that will be the one that's actually in charge of communicating with Office Cloud, we'll see that in a moment.
There's also, Power Automate also allows you to automate the browser, so you can basically, so through an extension on all popular browsers, you can change what users are viewing on the browsers, and you can also kind of fetch all of the information that they have there, so we'll add that to our architecture as well, as you can see, there are kind of, there are these extensions across all of these different, all of the
different browsers, this is the, so what you're seeing here is actually that I've only talked about three executables out of about 20 that are built in to Windows 11, again, and you'll see that this is in a trusted, this is kind of in a trusted location,
so there are, there's plenty of opportunity to do more research here, so if you're looking for a challenge, I recommend checking this out. So let's switch to another direction and talk about the communication, so of course, network boundaries have been, I mean, people have been trying to maintain them
for a long time, and there's a really serious question we should ask ourselves here, which is how is Microsoft able to communicate with Office services without having some IT admin open up a port somewhere? The way that this is done is with a neat service called Azure Service Bus, it's used to be Azure Relay,
basically both sides are creating outbound communication, and so this is how the channel gets created, so the agent will reach out to Azure Service Bus every couple of minutes and ask for new tasks that it should pick up and use. Okay, so we're connected, we understand
how these things operate, we understand that it has components that run as the user and components that run as a service account. The crucial thing to note right here, because it's the last time I'm gonna say it, is that all of these things are trusted. The executables are trusted, the service accounts
are trusted, the cloud accounts are trusted, they are all in the allow list that you get by default. Once you plug in your machine, this is what you're seeing from the Office side, so Office provides you with kind of a nice way to view all of the machines that are connected to your cloud, you can also run things
on the laptop from the cloud. So you create some sort of a payload and you can execute it from the cloud on some machine, and then you get status, you can look at history, you can debug things, so all of the convenience layers that you need around it.
The last thing that I wanna cover in terms of architecture is how is trust being established, so it's not only about connection to the Azure Service Bus, actually there needs to be kind of a trusted communication between the two, so when you register your machine with Power Automate that you saw me do a few minutes ago,
there's a private key that's being created on your local machine and a public key on the cloud side, and it's being used to basically encrypt a message that sends two things to the machine through Azure Service Bus. The first thing is local credentials, so you can run those payloads with whichever local credentials you'd like on the machine,
and the second thing is an RPA task, which is the kind of the process that you would like to run. So again, in a summary, in a nutshell, this runs on the, this executes on the user's own, with the user's own credentials, and it constantly goes out to office
and asking whether there's something it needs to be running. So what we're gonna do right now is we're gonna switch gears up until now, it was kind of theoretical. We're gonna go to specifics of how you can use this setup to run your model operation with Power Automate,
Microsoft's RPA. So let's remember our wish list. These were the things that we wanted to accomplish when we started this conversation. So all of the things here that are around ops will go through each one and show how they can be done.
First up, we need a bit of setup. So what you need in order to use this is basically create, what I'm doing here is creating a new tenant within Microsoft, it's kind of a trial version, you don't need to plug in your credit cards, it won't cost you anything. I'm creating a new organization, and you can see that once it is created,
there's a guide here which points me to how do I create, how do I onboard new machines here. So we need to onboard victim machines into my malicious Microsoft account. You've seen me do this already in the demo, but this was done through UI, which is kind of not what we're after as hackers.
So the question is whether we can do it programmatically with some script. Fortunately, Microsoft has provided a script for us, again, signed already in your Windows machines. So you run this silent registration script,
and you provide it with your organization ID, and again, the crucial piece here, if you're thinking of detections as well, is that you can plug in any tenant ID here. So of course, I'm just saying, okay, this is my account, and I'm pointing this agent to my malicious office tenant.
Once I run this script, I go back to the list of machines, and the machine is already there, and you can see that I have the status of that machine, the version of the agent that's sitting here. So that's kind of cool. That's basically our way to onboard victims
to our malware operation. One thing that was problematic about what I just showed you is that this requires an admin privilege on the local side to do this onboarding, which makes this kind of boring, right? Fortunately, that's not really the case. So we didn't do anything special here.
We just tried. It worked, so why not? So you can just run this, and it will connect the victim's machine to your cloud. Once the victim machine is registered, here's what you need to do in order to run a payload from the cloud to the machine.
So you create this automation from the cloud side. You create a connection. Basically, you choose which machine you're going to run on. You choose the local credentials. We saw that this is part of the payload earlier. And you choose a specific payload that you would like to run. Of course, you can create new payloads
on your own machine and upload them to Windows. One thing that we need to figure out, because we need to provide a user account here, we need to figure out what happens if that user is already logged in to the local account. What would it do to the user session? So again, people have already fixed this problem for us.
RPA has two versions, attended RPA, which basically runs in parallel to a logged in user. This also means I can take charge of everything that the user is doing. I can open the browser and take their cookies. I can do everything that the user is doing. And on the other side is unattended RPA,
which basically creates a new session, runs the payload, and discards of the session. So we've seen a bunch of things. From our list of malware operations that we wanted to create, we know that we can deploy malware. We saw this with basically a silent registration.
We know that this avoids defense. Well, this was the premise. Everything here is trusted. And we know that you can maintain persistency because I didn't install anything on the laptop, right? I only used Microsoft's own executables. What we're gonna show next is how we'll accomplish all of the things that are left over.
Now, we've already kind of seen command and control, but we only saw specific payloads, so let's drill down into it some more. Okay, this is how we're gonna, now we're just gonna show what you can build with this RPA.
What can you actually do on the user's machine? So here's a very quick data exfil for you. This is an RPA flow that does the following. It gets as an input a file, a pass on the hard disk, and basically it reads the file, and it sends the file content as an output of that flow.
Again, this runs with Microsoft's executable. And the key thing that we need to think about is where is the output actually going? So it's going to Microsoft Cloud. I'm triggering it from Office. I'm logging into Office with my malicious account. I'm sending out this payload, and I get in response the content of the file.
So recalling the architecture that we saw earlier, let's figure out where does the data move to make sure that we don't get caught along the way. So this is the architecture that we saw, and these are the three steps that are actually happening. I'm building those instructions on my side,
on a malicious machine somewhere, and I'm uploading the instructions to Office Cloud. Then I'm sending the payload to the machine through the Microsoft trusted communication channel, and the output goes through that same channel. So again, completely undetected. So here's another example.
We're gonna, so this example goes through code execution. So we saw that you can run specific payloads, but actually I would like to be able to run everything that I want on that laptop. So again, fortunately, the RPA agent provides you with operations that allow you to execute actual code.
So command lines, PowerShell, Python, JavaScript. So here's a quick automation. I'm basically sending out a script, telling them which kind of script, how will it be executed, and then I'm exfiltrating outside the stdout and stdout.
Actually, the problem is that when I run this, it gets flagged by Microsoft ADL. Now why does it get flagged? I mean, it gets flagged because I run a command line. It doesn't really matter who created that command line.
The ADL is very focused on looking on those command lines that are actually running. So you can see that I basically went out of the trusted part. So there's the trusted part, the RPA agent, which is able to run some sort of code, like here's a piece of code, run it with this executable or that executable,
and there's the untrusted part, which is the command line. So the question becomes, what can we do only with this drag-and-drop primitive? So what kind of malware we can build only with no code? Actually, we can do a whole bunch of things. So these are all things that are provided by the RPA agent. Let me name some of them.
You can use the built-in encryption function to encrypt files. You can trigger HTTP calls. You can communicate with Active Directory and Windows services and processes. You can look at files and folders. You can automate the browser. You can take screenshots. You can automate the mouse and the keyboard. You can copy the clipboard. You get it, right? You can do basically everything.
So let's do a couple of things. Here's no code run somewhere for you. This one is, again, very simple. I'm iterating through the drive, through the local drive. I'm reading the file, encrypting that file
with the provided encryption function, and then stumping that file with, replacing it from the original. Here's how this gets triggered from the cloud side. So again, very simple. I'm saying, here's the directory I'd like to encrypt.
Here's the private key, and it will just go to the machine, send the payload, encrypt the file, and that's it. And I'm getting flashes here that I don't have a lot of time, so I'm gonna skip kind of through it. But as you can see, this is being triggered from the cloud side,
and when the task gets finished, and you saw that this already happened, I basically see it. I get the results on the cloud. And from the machine side, of course, the files are encrypted. The EDR didn't catch it. This is all being done by the Microsoft executable. Okay. Here's another one for you.
So we know that this agent is actually creating a whole bunch of logs, the agent that we're actually using. Because every time that it gets called, it writes what did it call, what exactly did it do. But again, looking at Microsoft documentation, we can figure out where these logs are being maintained,
and we can just go ahead and delete them. So here's a flow to do that. Okay. I'll finish off with one more. We talked about the browser, so here's a quick thing that we can do. We can open the browser. We can go to some endpoint
that we'd like to steal the user's token from, and we just plug in a JavaScript shell inside of that browser to basically take home the cookie. So there's a quick demo for that here. Not sure I have the time, but basically, it's really simple.
What this does is it opens up the browser, it goes to that location, and it just runs the JavaScript script that I've mentioned. And fortunately, there's a nice property here where you can open the browser in a minimized version, so the user won't notice.
Okay. So a quick recap on everything we did up until now. We saw how you can deploy malware, you can avoid detection, you can remain persistent. We saw how you can create command and control
through the Office Cloud. We saw exfiltration and cleanup. We actually wanted to show a bunch of other things, like keylogger and other things, but you can just play around with it, and I'm sure you'll find it nice. The one thing that I have left for you is how do you do all of that as part of your existing hours and hours, so you don't wanna be playing with UI
for Office and those things. So we've introduced this new tool for you. You can go ahead and use it right now. You'll have an address in a moment. Basically, we've covered a bunch of things for you, so we are handling errors, we are creating an HTTP endpoint on the malicious Office side,
which you can just call, and then you do something like you post, okay, here's the machine I'd like to run this payload on, here's the payload I'd like to run, here are some parameters, and you get back all of the outputs of that process, and all of the things that you saw here in the talk,
and other payloads as well, are available through that tool. So this is available right now. There's a convenience layer around it in Python. Let me quickly describe how it works. You create your Microsoft tenant. There are instructions on how to do that.
Again, no credit card, free of charge. You run a quick script for setting up the tenant. You register with your machines with Microsoft's executables, not mine, and then you use this nice Python script to do things like run ransomware, run specific commands, and please feel free to send out pull requests
with new payloads. So, we're about done. Let's do a quick recap. We saw what RPA is. We saw it's available on every major enterprise. Check it out back home, you'll see. It's already there. We saw how it works, and we saw how it can be used
to power a malware operation. We saw that you can use it with local primitives that basically allow you to do whatever you want. We saw Power Pawn, which is a new tool that you can use right now to play around with it, and to see how it works. The last thing I'm gonna do, and I'll do it very quickly, is leave you off with a few things you can do
to protect yourself, to protect your organization. So, here's one very, very obvious thing. Monitor these executables. So, as you can see, you need to make sure that, basically, the number one thing you need to make sure is that people are not registering those agents
to a tenant that is not your own. You can also review micro, this entire talk was focused on using the existing tools without talking about whether the organization itself is going to use it. So, your users might actually be using this. If they're using this, there are a bunch of issues
that can occur. If that's interesting for you, I have another talk here at four p.m., same room. So, if you're not tired of me yet, see you again. There are a bunch of information that you can use here to learn more, Microsoft documentation, there's an OWASP group that is focused on this area, and a bunch of blogs and content.
Thank you very much. Thank you.