Query Details

Detect Power Pwn Aka LOL Copilot Red Team Tool

Query

// Detect Power Pwn (aka LOLCopilot) Red Team Tool 

// DefenderXDR custom detection and isolation of machine if caught running LOLCopilot 😉

// Running at NRT (near-realtime)

DeviceNetworkEvents 
| where InitiatingProcessVersionInfoProductName == "Node.js"
| where RemoteUrl startswith "https://www.office.com" or 
RemoteUrl startswith "https://teams.microsoft.com"

// Sentinel detection on Entra Signin for possible LOLCopilot usage on non MDE endpoints

SigninLogs
| where TimeGenerated > ago(1h)
| where UserAgent contains "headless"

// Note: The above will no longer work if threat actor changes the Power Pwn Puppeteer script's setUserAgent value 

// Reference: https://www.wired.com/story/microsoft-copilot-phishing-data-extraction/

// MITRE ATT&CK Mapping

// T1071.001 - Application Layer Protocol: Web Protocols: This technique involves using web protocols for command and control communication1.
// T1105 - Ingress Tool Transfer: This technique involves transferring tools or files from an external system into a compromised environment2.

// T1078 - Valid Accounts: This technique involves the use of valid accounts to gain access to systems3.
// T1202 - Indirect Command Execution: This technique involves executing commands through a legitimate interface, such as a headless browser4.

Explanation

This query is designed to detect the use of a tool called Power Pwn (also known as LOLCopilot), which is used by Red Teams for testing security. The query is part of a custom detection system in DefenderXDR that can isolate a machine if it detects LOLCopilot running. It operates in near-real-time.

  1. DeviceNetworkEvents: This part of the query checks for network events where the initiating process is Node.js and the remote URL starts with "https://www.office.com" or "https://teams.microsoft.com". This is to identify suspicious activity that might be associated with LOLCopilot.

  2. SigninLogs: This section looks at sign-in logs from the past hour to find entries where the user agent string contains "headless". This could indicate the use of a headless browser, which is often used for automated tasks like those performed by LOLCopilot.

The query notes that if the threat actor changes the user agent string in the Power Pwn Puppeteer script, this detection method may no longer be effective.

The query also references a Wired article for more context and maps the detection techniques to the MITRE ATT&CK framework, highlighting specific techniques used by attackers:

  • T1071.001: Using web protocols for command and control communication.
  • T1105: Transferring tools or files into a compromised environment.
  • T1078: Using valid accounts to gain access to systems.
  • T1202: Executing commands through a legitimate interface, such as a headless browser.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

DeviceNetworkEventsSigninLogs

Keywords

DeviceNetworkEventsSigninLogsUserAgentRemoteUrlTimeGeneratedNodeJsOfficeTeamsMicrosoftEntraMDEEndpointThreatActorPowerPwnPuppeteerScriptMITREATT&CKApplicationLayerProtocolWebProtocolsIngressToolTransferValidAccountsIndirectCommandExecution

Operators

DeviceNetworkEvents|where==startswithorSigninLogs>agocontains

MITRE Techniques

Actions

GitHub