- Видео 31
- Просмотров 35 287
Zenity
Добавлен 24 авг 2023
Powerpwn: Internal Phishing
Set up an internal phishing application on a Microsoft-owned domains which will automatically authenticate as users browse to your link.
This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Internal-phishing
This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Internal-phishing
Просмотров: 6
Видео
Powerpwn: Install a Backdoor
Просмотров 104 часа назад
Maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands. This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Install-a-backdoor
Powerpwn: Copilot Dump
Просмотров 564 часа назад
Explore Microsoft Copilot 365 to extract emails and their contents, enumerate and extract Sharepoint site content, and harvest credentials and passwords For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Copilot-M365-‐-Dump
Powerpwn: powerdump
Просмотров 24 часа назад
powerdump is a tool for exploring information in Microsoft PowerPlatform from a Red Team perspective. In short, this is what it does: - Generates access tokens for fetching available resources in Microsoft PowerApps. - Uses HTTP calls in Python to dump all available information in the Microsoft PowerPlatform into a local directory. - Generates access tokens for performing advanced actions on th...
Secure Enterprise Copilots and Low-Code Development with Zenity
Просмотров 10919 часов назад
Enterprises today are leveraging cutting edge technology like AI Agents and low-code development platforms to enable their business users like never before. These tools empower business users of all technical backgrounds to do things like query and access huge amounts of data, share files, and even build their own AI agents and apps. However, in placing the business user at the center of busine...
AI is here for business users. What does that mean for AppSec? Zenity @ ISS 2024
Просмотров 14221 день назад
At the 22nd Annual Information Security Summit in October '24, Zenity's Lead Solutions Engineer, Stephen Shanko, delivered a keynote that discussed how in a very short period of time, Generative AI has changed nearly every aspect of how business gets done. Gone are the days where you needed to have a coding background in order to create apps, automate processes, or reduce the need for manual ta...
Overpermissions in Salesforce Einstein
Просмотров 64Месяц назад
Zenity Researchers discovered a setting in Salesforce Einstein that makes it so that bad actors can edit Copilot Topics that can result in data leakage, social engineering attacks, and more.
The Microsoft 365 Copilot Security Blueprint
Просмотров 274Месяц назад
The rapid adoption of enterprise copilots, like the newly renamed and revamped Microsoft 365 Copilot is revolutionizing how business gets done. As large enterprises rush to integrate and expand their M365 capabilities, they inadvertently create an entirely new attack vector, most notably - promptware, which can lead to Remote Copilot Execution (RCE). Promptware operates within business applicat...
Webinar: The State of Enterprise Copilots and Low-Code Development
Просмотров 1382 месяца назад
In traditional application development, apps follow a structured software development lifecycle (SDLC) with continuous planning, design, implementation, measurement, and analysis. However, the rise of platforms like Microsoft Copilot, Power Platform, Salesforce, OpenAI, ServiceNow, Zapier, and UiPath is changing the landscape; putting business users at the forefront of software development for ...
AI and Low-Code / No-Code: Friends or Foes?
Просмотров 872 месяца назад
As ChatGPT and Generative AI take the world by storm, the underlying reason is that people are always looking to leverage technology to maximize outputs, increase speed, and remove obstacles for end users. The same goes for low-code/no-code development, where businesses are enabling both professional and citizen developers to use visual interfaces and drag and drop templates to enable people fr...
Microsoft Copilot Studio: What to Know from a Security Perspective
Просмотров 2592 месяца назад
Microsoft introduced Copilot Studio at Ignite Conference 2023, which allows users to seamlessly integrate Generative AI Copilots into their applications through a no-code approach. This naturally opens up lots of new security risks. Zenity has become the first company to offer comprehensive support for securing and governing this groundbreaking tool, ensuring CISOs and security teams can naviga...
The Error Up There: Security Needed for Copilots
Просмотров 1812 месяца назад
Copilots aren’t just for aviation anymore; they are embedded into nearly every business and personal productivity tool out there today, be it Microsoft 365 or Power Platform. Microsoft Copilots help bring efficiency to the next level. The problem is, the things being built, designed, and sent are often insecure and need strong air traffic control to govern proper usage of these Copilots and pre...
From Ancient Greece to Now A History of the Democratization of Application Development and Security
Просмотров 182 месяца назад
While application and software development hasn’t been going on since quite the rise of the Ancient Greeks, there is a long history that leads us to the present day of Gen AI, low-code/no-code tools, and more. With all this change, security teams are now at a crossroads between restricting the use of powerful Generative AI, low-code, and no-code platforms to allow anyone to possess developer-li...
Opening Up AI: CTOs on the Risks and Rewards of Enterprise Copilots (Part 2 of 2)
Просмотров 652 месяца назад
In part 2 of their 2 part conversation, Michael Bargury, Zenity’s Co-Founder and CTO, and Ory Segal from Palo Alto Networks, CTO of the Prisma Cloud business unit, expand the dialogue to explain attack paths, methodologies, referencing the BlackHat 2024 research drops from Zenity's Labs Team, and charting a path forward for security teams to take an AppSec approach for enterprise copilots.
Opening Up AI: CTOs on the Risks and Rewards of Enterprise Copilots (Part 1 of 2)
Просмотров 1852 месяца назад
In part 1 of a 2 part conversation, Michael Bargury, Zenity’s Co-Founder and CTO, is joined by Ory Segal from Palo Alto Networks, CTO of the Prisma Cloud business unit, to discuss Gen AI, the security implications, what history can tell us about how we should be approaching security in this space, and lots more
Living off Microsoft Copilot at BHUSA24: Sensitive data collection and exfiltration via Copilot
Просмотров 3 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Sensitive data collection and exfiltration via Copilot
Living off Microsoft Copilot at BHUSA24: Financial transaction hijacking with Copilot as an insider
Просмотров 4,8 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Financial transaction hijacking with Copilot as an insider
Living off Microsoft Copilot at BHUSA24: Copilot lures victims to a phishing site
Просмотров 2,3 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Copilot lures victims to a phishing site
Living off Microsoft Copilot at BHUSA24: Automated spear phishing with powerpwn abusing Copilot
Просмотров 2 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Automated spear phishing with powerpwn abusing Copilot
Living off Microsoft Copilot at BHUSA24: Spear phishing with Copilot
Просмотров 4,1 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Spear phishing with Copilot
Living off Microsoft Copilot at BHUSA24: Abusing Copilot to bypass DLP
Просмотров 1,7 тыс.3 месяца назад
Living off Microsoft Copilot at BHUSA24: Abusing Copilot to bypass DLP
Zenity Discovers Data Leakage in Power BI (Microsoft Fabric) Reports and Semantic Models
Просмотров 1204 месяца назад
Zenity Discovers Data Leakage in Power BI (Microsoft Fabric) Reports and Semantic Models
Data Leakage in Salesforce Development Platform
Просмотров 1257 месяцев назад
Data Leakage in Salesforce Development Platform
Supply Chain Risks in Low-Code Development
Просмотров 407 месяцев назад
Supply Chain Risks in Low-Code Development
6 Microsoft Copilot Studio Vulnerabilities in 4 Minutes
Просмотров 47911 месяцев назад
6 Microsoft Copilot Studio Vulnerabilities in 4 Minutes
AI and Low-Code/No-Code: Friends or Foes?
Просмотров 122Год назад
AI and Low-Code/No-Code: Friends or Foes?
The Risks of Low-Code Development and How To Prevent Them
Просмотров 151Год назад
The Risks of Low-Code Development and How To Prevent Them
I wonder if this is happening at my company. Constantly getting told by financial audit team that there are issues with my direct deposit and that I should check my bank account routing and account numbers. I show them it's the same and then I still get paid. It keeps happening every couple weeks. Nobody seems to care either. It's bizarre.
Copilot is my favorite!❤😁
Please have some text-to-speech audio!❤
Excellent video! Microsoft needs to be more explicit about these credential sharing scenarios or else organizations will have a rough time protecting their data.
From our perspective, it's more about knowing which side of the shared responsibility model you sit on. Microsoft (and other AI vendors) are responsible for the platform / tool, but not the underlying data that it's grounded in, or how AI is used or processed by business users. This is where we come in!
4:42 - that's the perfect analogy, we're not trying to secure the cloud (that's what AWS/Azure/Google do), we're trying to secure what we build on top of it. Same for LLMs, we're trying to secure the applications! Well said!
Thanks for the feedback, and glad to hear the analogy landed! We see too many enterprises not fully grasping what piece of the puzzle they own, and there are always going to be vulnerabilities that hackers can exploit. It's all about managing risk, and taking an inside-out (i.e. AppSec) approach to this new world of AI!
Thanks for sharing this, amazing research and impactful results. We've been talking about the risks of LLM applications for a while and how indirect prompt injection is an unsolved challenge. It's really good to see this demonstrated in practice, in production, at scale. I like how you got around data exfiltration protections. Most applications now have learnt not to render markdown images and similar stuff in LLM outputs, but the idea of adding a reference is great. I saw another demo, maybe on Twitter, where you used the enterprise_search() tool to make the LLM search / access a URL, which is also a very creative way to exfiltrate data.