Hi, this is Hada. On November 3rd, I gave a presentation titled "Power Automate C2" at AVTokyo 2022 Day2. Power Automate is a powerful platform to automate repetitive tasks using a lot of services on Microsoft 365. Microsoft prepares several connectors to simplify daily work. There are a lot of Power Automate users because they can make flows with no-code. On the other hand, attackers abuse it as VECTRA reported. Reviewing some Power Automate connectors, I found some attack cases abusing them. I introduced the concept and did easy demo in the presentation.
(By the way, I couldn't be there that day, so I just showed the movie for this presentation. It’s a really pity that I was not there, but in the next year I'll be there and give a presentation. So, I'm trying to get a new topic.)
Restriction of Power Automate
I assume that an attacker has already been able to login to Power Automate with a victim user's account. At this point, the attacker can make a flow to send newly arrival mails and shared files to external. The execution logs of this flow leave after 28 days. However, the logs will be deleted immediately if the flow itself is deleted. For example, the attacker needs to delete a flow before the legitimate user realizes it, if they don't want to be in the situation that the user finds the detail of sending information to the external.
Here is an example of the detailed logs and the execution result of the flow within 28 days:
We assume that the user hasn’t known yet that the intrusion is under way at that moment, and they changed the password by chance because of the password changing policy for example. The attacker can't delete the flow and create a new flow because they will not be able to login to Power Automate again.
About Power Automate C2
I found that Power Automate Management, which is a connector provided by Power Automate, can avoid this restriction. Power Automate Management is a connector to manage Power Automate flows, and it can control them (creating, deleting, etc.). Those flows are defined as JSON format.
By leveraging Power Automate Management, one can send JSON from remote and create a new flow included in its payload, then delete the flow after execution. Attackers can abuse this specification to execute malicious flow and erase its trace as soon as the execution is completed. I named this attack as "Power Automate C2" because this behavior seems to run like C2 malware on Power Automate.
The attack flow is as follows:
1. Attacker has already got an access to Power Automate and create a malicious flow.
2. A victim user, who doesn't know that they've been already intruded, changes the password by chance.
3. The attacker continues accessing to Power Automate via C2 and creates and executes arbitrary flows.
4. When the attacker accomplishes their object, they delete flow and traces such as logs.
Demo Scenario and Result
I used Dropbox as a C2 server in the demo. Any connectors, which sends and receives data to external, can be a C2 server. However, I used a general connector, because "HTTP Action" connector needs a premium license, because it depends on the intruded user's environment whether it can be used or not.
As shown follows, the attacker's Dropbox account contained "c2payload.txt" and "result.txt". "c2payload.txt" is a JSON file written the flow information. A file "result.txt" receives the execution results, and it is an empty file initially.
The attacker accessed to Power Automate and created an initial flow. The flow can be created manually or by importing a zip file packaged in advance.
The initial flow consists of simple operations, downloading JSON (c2payload.txt) from the C2 server, creating a flow Power Automate Management, and deleting itself.
The flow generated by c2payload.txt was as the following image. The flow on the left is a payload prepared by the attacker. (Extracting messages from Teams and uploading them to Dropbox). The flow on the right is to call the next payload and this is same as the initial flow. This flow waits to get the next command every minute using "wait" command.
You can see two newly generated flows in addition to the initial flow on the flow list. Every minutes, the most recent flow generates a new flow and deletes oneself. (The initial flow is left for debugging purpose, which should have been deleted).
When I checked the execution log of the generated flow, the following flow information was logged with JSON format as an execution result of Power Automate Management. You can realize that this is the payload prepared by the attacker if you find it. However, this execution log will be deleted a minute later with deleting the flow.
Finally, the attacker will send the payload only to delete the flow itself after accomplishing their goal. This can hide all the flow execution logs from the victim user.
Checking flow frequently and preventing Power Automate against intrusion were the only solution when I presented it. However, @defenceability told me a mitigation not to use Power Automate Management by creating DLP policy (Thank you so much!). This is an effective mitigation if you don't use Power Automate Management.
The Power Automate keeps enabling the connectors that has already been authenticated after changing the password. Changing this specification seems to be difficult considering the function of SSO, negative impact on convenience of users utilizing a volume of flows or connectors and their operations.
In this demo, I aimed at completing the attacker's control only in cloud environment, therefore I didn't use Desktop Flow to execute client-side. That's why I didn't use some functions prepared for Desktop Flow (suppression, encryption, etc.).
This presentation was the introduction of the concept. Therefore, I just built the C2 server manually (replacing c2payload.txt, collecting result.txt, etc.). However, it's possible to be automated.
In this presentation, I introduced Power Automate C2 that is a technique to receive a flow from a C2 server and execute it.