├── .gitignore
├── No_Code_Malware
    ├── Michael_Bargury_No_Code_Malware.pdf
    └── readme.md
├── Low_Code_High_Risk
    ├── Michael_Bargury_Low_Code_High_Risk.pdf
    └── readme.md
├── license
└── readme.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .idea/


--------------------------------------------------------------------------------
/No_Code_Malware/Michael_Bargury_No_Code_Malware.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mbrg/defcon30/HEAD/No_Code_Malware/Michael_Bargury_No_Code_Malware.pdf


--------------------------------------------------------------------------------
/Low_Code_High_Risk/Michael_Bargury_Low_Code_High_Risk.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mbrg/defcon30/HEAD/Low_Code_High_Risk/Michael_Bargury_Low_Code_High_Risk.pdf


--------------------------------------------------------------------------------
/license:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Michael Bargury
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # DEFCON30 Talk Materials
 2 | 
 3 | [![stars](https://img.shields.io/github/stars/mbrg?icon=github&style=social)](https://github.com/mbrg)
 4 | [![twitter](https://img.shields.io/twitter/follow/mbrg0?icon=twitter&style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=mbrg0)
 5 | [![email me](https://img.shields.io/badge/michael.bargury-owasp.org-red?logo=Gmail)](mailto:michael.bargury@owasp.org)
 6 | 
 7 | 
 8 | Welcome!
 9 | 
10 | In this repo you'll find talk materials for:
11 | 
12 | - [No-Code Malware: Windows 11 At Your Service](No_Code_Malware/)
13 | - [Low Code High Risk: Enterprise Domination via Low Code Abuse](Low_Code_High_Risk/)
14 | 
15 | Quick tool access:
16 | 
17 | [![stars](https://img.shields.io/github/stars/mbrg/power-pwn?icon=github&style=social)](https://github.com/mbrg/power-pwn) [Power-pwn](https://github.com/mbrg/power-pwn) - repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation
18 | 
19 | [![stars](https://img.shields.io/github/stars/mbrg/powerful?icon=github&style=social)](https://github.com/mbrg/powerful) [Powerful](https://github.com/mbrg/powerful) - install a backdoor on O365 Power Platform enabling creating, triggering and deleting any arbitrary automation
20 | 
21 | [![stars](https://img.shields.io/github/stars/mbrg/zapcreds?icon=github&style=social)](https://github.com/mbrg/zapcreds) [ZapCreds](https://github.com/mbrg/zapcreds) - scan Zapier for shared credentials ready for exploit
22 | 
23 | What you'll find here:
24 | 
25 | - [x] Recommended pre-reading for both talks
26 | 
27 | - [x] Talk abstracts
28 | 
29 | - [x] Contact details
30 | 
31 | - [x] Links to demos on YouTube, articles and references
32 | 
33 | - [x] Source code for everything
34 | 
35 | - [x] The slides
36 | 
37 | - [x] Video recordings
38 | 
39 | <del>Stay tuned.</del> Enjoy!
40 | 


--------------------------------------------------------------------------------
/No_Code_Malware/readme.md:
--------------------------------------------------------------------------------
 1 | # No-Code Malware: Windows 11 At Your Service
 2 | 
 3 | [View on DEFCON30 agenda](https://info.defcon.org/events/48560/)
 4 | 
 5 | ## Abstract
 6 | 
 7 | Windows 11 ships with a nifty feature called Power Automate, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines or Office cloud, executed successfully and reports back to the cloud. You can probably already see where this is going..
 8 | 
 9 | In this presentation, we will show how Power Automate can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services.
10 | 
11 | We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how it is enabled by-default and can be used without explicit user consent. We will also point out a few promising future research directions for the community to pursue.
12 | 
13 | Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas.
14 | 
15 | ## Recommended pre-reading materials
16 | 
17 | - [Living-of-the-land of Office365](https://www.vectra.ai/blogpost/o365-security-powerautomate-is-the-new-powershell)
18 | 
19 | - [What is RPA](https://powerautomate.microsoft.com/en-us/what-is-rpa/)
20 | 
21 | ### Tools and Demos
22 | 
23 | - [Power-pwn](https://github.com/mbrg/power-pwn) - install a backdoor on Power Platform enabling creating, triggering and deleting any arbitrary flow 
24 | 
25 | - [Set up Power Automate Desktop demo, YouTube](https://youtu.be/Kik9oXu_-bI)
26 |  
27 | - [No Code Ransomware demo, YouTube](https://youtu.be/YDull-krSJI)
28 | 
29 | - [Machine to browser local demo, YouTube](https://youtu.be/lY_RzV-4BdI)
30 | 
31 | - [Machine to browser cloud demo, YouTube](https://youtu.be/zlF7np18oGI)
32 | 
33 | ### Articles
34 | 
35 | - [Low-Code / No-Code Security, Dark Reading](https://www.darkreading.com/author/michael-bargury)
36 | 
37 | - [Power Automate Management, Microsoft Docs](https://docs.microsoft.com/en-us/connectors/flowmanagement/)
38 | 
39 | - [Silently register a new machine, Microsoft Docs](https://docs.microsoft.com/en-us/power-automate/desktop-flows/machines-silent-registration#silently-register-a-new-machine)
40 |  
41 | - [Power Automate and Windows 11, Microsoft Docs](https://powerautomate.microsoft.com/en-us/power-automate-and-windows-11/)
42 | 
43 | - [Use browsers and manage extensions, Microsoft Docs](https://docs.microsoft.com/en-in/power-automate/desktop-flows/using-browsers)
44 | 
45 | - [RPA Architecture, T-Plan](https://www.t-plan.com/rpa-architecture/)
46 | 
47 | ## Talk materials
48 | 
49 | - [Slides](defcon30/No_Code_Malware/Michael_Bargury_No_Code_Malware.pdf)
50 | 
51 | - [Video](https://www.youtube.com/watch?v=e8PEIOa6W9M)
52 | 


--------------------------------------------------------------------------------
/Low_Code_High_Risk/readme.md:
--------------------------------------------------------------------------------
 1 | # Low Code High Risk: Enterprise Domination via Low Code Abuse
 2 | 
 3 | [View on DEFCON30 agenda](https://info.defcon.org/events/48565/)
 4 | 
 5 | ## Abstract
 6 | 
 7 | Why focus on heavily guarded crown jewels when you can dominate an organization through its shadow IT?
 8 | 
 9 | Low-Code applications have become a reality in the enterprise, with surveys showing that most enterprise apps are now built outside of IT, with lacking security practices. Unsurprisingly, attackers have figured out ways to leverage these platforms for their gain.
10 | 
11 | In this talk, we demonstrate a host of attack techniques found in the wild, where enterprise No-Code platforms are leveraged and abused for every step in the cyber killchain. You will learn how attackers perform an account takeover by making the user simply click a link, move laterally and escalate privileges with zero network traffic, leave behind an untraceable backdoor, and automate data exfiltration, to name a few capabilities. All capabilities will be demonstrated with POCs, and their source code will be shared.
12 | 
13 | Finally, we will introduce an open-source recon tool that identifies opportunities for lateral movement and privilege escalation through low-code platforms.
14 | 
15 | ## Recommended pre-reading materials
16 | 
17 | - [Store by Zapier vulnerability](https://www.volkis.com.au/blog/security-design-flaw-in-storage-by-zapier/)
18 | 
19 | - [Power Platform data leakage](https://www.upguard.com/breaches/power-apps)
20 |  
21 | - [Living-of-the-land of Office365](https://www.vectra.ai/blogpost/o365-security-powerautomate-is-the-new-powershell)
22 | 
23 | - [Gaining persistency on AWS Lambda](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)
24 | 
25 | ## Mentioned in the talk
26 | 
27 | ### Tools and Demos
28 | 
29 | - [ZapCreds](https://github.com/mbrg/zapcreds) - scan Zapier for shared credentials ready for exploit
30 | 
31 | - [Powerful](https://github.com/mbrg/powerful) - install a backdoor on Power Platform enabling creating, triggering and deleting any arbitrary flow 
32 | 
33 | - [Power Platform account takeover demo, YouTube](https://youtu.be/vJZpNJRC_10)
34 | 
35 | ### Articles
36 | 
37 | - [Low-Code / No-Code Security, Dark Reading](https://www.darkreading.com/author/michael-bargury)
38 | 
39 | - [Hackers Abuse Low-Code Platforms And Turn Them Against Their Owners, Zenity blog](https://www.zenity.io/blog/hackers-abuse-low-code-platforms-and-turn-them-against-their-owners/)
40 | 
41 | - [The Microsoft Power Apps Portal Data Leak Revisited: Are You Safe Now?, Zenity blog](https://www.zenity.io/blog/the-microsoft-power-apps-portal-data-leak-revisited-are-you-safe-now/)
42 | 
43 | - [Zapier Storage Exposes Sensitive Customer Data Due to Poor User Choices, Zenity blog](https://www.zenity.io/blog/zapier-storage-exposes-sensitive-customer-data-due-to-poor-user-choices/)
44 | 
45 | - [Connectors overview, Microsoft Docs](https://docs.microsoft.com/en-us/connectors/connectors)
46 | 
47 | - [Set-AdminPowerAppApisToBypassConsent, Microsoft Docs](https://docs.microsoft.com/en-us/powershell/module/microsoft.powerapps.administration.powershell/set-adminpowerappapistobypassconsent)
48 | 
49 | - [Power Automate Management, Microsoft Docs](https://docs.microsoft.com/en-us/connectors/flowmanagement/)
50 | 
51 | ## Talk materials
52 | 
53 | - [Slides](defcon30/Low_Code_High_Risk/Michael_Bargury_Low_Code_High_Risk.pdf)
54 | 
55 | - [Video](https://www.youtube.com/watch?v=D3A62Rzozq4&t=1007s)


--------------------------------------------------------------------------------