- 31
- 36 007
Zenity
เข้าร่วมเมื่อ 24 ส.ค. 2023
Powerpwn: Internal Phishing
Set up an internal phishing application on a Microsoft-owned domains which will automatically authenticate as users browse to your link.
This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Internal-phishing
This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Internal-phishing
มุมมอง: 22
วีดีโอ
Powerpwn: Install a Backdoor
มุมมอง 1914 วันที่ผ่านมา
Maintain persistency on Power Platform by installing an automation factory that creates, executes and deletes arbitrary commands. This capability was first presented at a DEFCON30 talk titled Low Code High Risk - Enterprise Domination via Low Code Abuse. For more information check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Install-a-backdoor
Powerpwn: Copilot Dump
มุมมอง 6814 วันที่ผ่านมา
Explore Microsoft Copilot 365 to extract emails and their contents, enumerate and extract Sharepoint site content, and harvest credentials and passwords For more information, check out the Git: github.com/mbrg/power-pwn/wiki/Modules:-Copilot-M365-‐-Dump
Powerpwn: powerdump
มุมมอง 6114 วันที่ผ่านมา
powerdump is a tool for exploring information in Microsoft PowerPlatform from a Red Team perspective. In short, this is what it does: - Generates access tokens for fetching available resources in Microsoft PowerApps. - Uses HTTP calls in Python to dump all available information in the Microsoft PowerPlatform into a local directory. - Generates access tokens for performing advanced actions on th...
Secure Enterprise Copilots and Low-Code Development with Zenity
มุมมอง 16514 วันที่ผ่านมา
Enterprises today are leveraging cutting edge technology like AI Agents and low-code development platforms to enable their business users like never before. These tools empower business users of all technical backgrounds to do things like query and access huge amounts of data, share files, and even build their own AI agents and apps. However, in placing the business user at the center of busine...
AI is here for business users. What does that mean for AppSec? Zenity @ ISS 2024
มุมมอง 173หลายเดือนก่อน
At the 22nd Annual Information Security Summit in October '24, Zenity's Lead Solutions Engineer, Stephen Shanko, delivered a keynote that discussed how in a very short period of time, Generative AI has changed nearly every aspect of how business gets done. Gone are the days where you needed to have a coding background in order to create apps, automate processes, or reduce the need for manual ta...
Overpermissions in Salesforce Einstein
มุมมอง 65หลายเดือนก่อน
Zenity Researchers discovered a setting in Salesforce Einstein that makes it so that bad actors can edit Copilot Topics that can result in data leakage, social engineering attacks, and more.
The Microsoft 365 Copilot Security Blueprint
มุมมอง 309หลายเดือนก่อน
The rapid adoption of enterprise copilots, like the newly renamed and revamped Microsoft 365 Copilot is revolutionizing how business gets done. As large enterprises rush to integrate and expand their M365 capabilities, they inadvertently create an entirely new attack vector, most notably - promptware, which can lead to Remote Copilot Execution (RCE). Promptware operates within business applicat...
Webinar: The State of Enterprise Copilots and Low-Code Development
มุมมอง 1422 หลายเดือนก่อน
In traditional application development, apps follow a structured software development lifecycle (SDLC) with continuous planning, design, implementation, measurement, and analysis. However, the rise of platforms like Microsoft Copilot, Power Platform, Salesforce, OpenAI, ServiceNow, Zapier, and UiPath is changing the landscape; putting business users at the forefront of software development for ...
AI and Low-Code / No-Code: Friends or Foes?
มุมมอง 903 หลายเดือนก่อน
As ChatGPT and Generative AI take the world by storm, the underlying reason is that people are always looking to leverage technology to maximize outputs, increase speed, and remove obstacles for end users. The same goes for low-code/no-code development, where businesses are enabling both professional and citizen developers to use visual interfaces and drag and drop templates to enable people fr...
Microsoft Copilot Studio: What to Know from a Security Perspective
มุมมอง 3093 หลายเดือนก่อน
Microsoft introduced Copilot Studio at Ignite Conference 2023, which allows users to seamlessly integrate Generative AI Copilots into their applications through a no-code approach. This naturally opens up lots of new security risks. Zenity has become the first company to offer comprehensive support for securing and governing this groundbreaking tool, ensuring CISOs and security teams can naviga...
The Error Up There: Security Needed for Copilots
มุมมอง 2003 หลายเดือนก่อน
Copilots aren’t just for aviation anymore; they are embedded into nearly every business and personal productivity tool out there today, be it Microsoft 365 or Power Platform. Microsoft Copilots help bring efficiency to the next level. The problem is, the things being built, designed, and sent are often insecure and need strong air traffic control to govern proper usage of these Copilots and pre...
From Ancient Greece to Now A History of the Democratization of Application Development and Security
มุมมอง 233 หลายเดือนก่อน
While application and software development hasn’t been going on since quite the rise of the Ancient Greeks, there is a long history that leads us to the present day of Gen AI, low-code/no-code tools, and more. With all this change, security teams are now at a crossroads between restricting the use of powerful Generative AI, low-code, and no-code platforms to allow anyone to possess developer-li...
Opening Up AI: CTOs on the Risks and Rewards of Enterprise Copilots (Part 2 of 2)
มุมมอง 673 หลายเดือนก่อน
In part 2 of their 2 part conversation, Michael Bargury, Zenity’s Co-Founder and CTO, and Ory Segal from Palo Alto Networks, CTO of the Prisma Cloud business unit, expand the dialogue to explain attack paths, methodologies, referencing the BlackHat 2024 research drops from Zenity's Labs Team, and charting a path forward for security teams to take an AppSec approach for enterprise copilots.
Opening Up AI: CTOs on the Risks and Rewards of Enterprise Copilots (Part 1 of 2)
มุมมอง 1923 หลายเดือนก่อน
In part 1 of a 2 part conversation, Michael Bargury, Zenity’s Co-Founder and CTO, is joined by Ory Segal from Palo Alto Networks, CTO of the Prisma Cloud business unit, to discuss Gen AI, the security implications, what history can tell us about how we should be approaching security in this space, and lots more
Living off Microsoft Copilot at BHUSA24: Sensitive data collection and exfiltration via Copilot
มุมมอง 3K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Sensitive data collection and exfiltration via Copilot
Living off Microsoft Copilot at BHUSA24: Financial transaction hijacking with Copilot as an insider
มุมมอง 4.9K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Financial transaction hijacking with Copilot as an insider
Living off Microsoft Copilot at BHUSA24: Copilot lures victims to a phishing site
มุมมอง 2.4K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Copilot lures victims to a phishing site
Living off Microsoft Copilot at BHUSA24: Automated spear phishing with powerpwn abusing Copilot
มุมมอง 2.1K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Automated spear phishing with powerpwn abusing Copilot
Living off Microsoft Copilot at BHUSA24: Spear phishing with Copilot
มุมมอง 4.2K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Spear phishing with Copilot
Living off Microsoft Copilot at BHUSA24: Abusing Copilot to bypass DLP
มุมมอง 1.7K3 หลายเดือนก่อน
Living off Microsoft Copilot at BHUSA24: Abusing Copilot to bypass DLP
Zenity Discovers Data Leakage in Power BI (Microsoft Fabric) Reports and Semantic Models
มุมมอง 1245 หลายเดือนก่อน
Zenity Discovers Data Leakage in Power BI (Microsoft Fabric) Reports and Semantic Models
Data Leakage in Salesforce Development Platform
มุมมอง 1287 หลายเดือนก่อน
Data Leakage in Salesforce Development Platform
Supply Chain Risks in Low-Code Development
มุมมอง 417 หลายเดือนก่อน
Supply Chain Risks in Low-Code Development
6 Microsoft Copilot Studio Vulnerabilities in 4 Minutes
มุมมอง 48711 หลายเดือนก่อน
6 Microsoft Copilot Studio Vulnerabilities in 4 Minutes
AI and Low-Code/No-Code: Friends or Foes?
มุมมอง 122ปีที่แล้ว
AI and Low-Code/No-Code: Friends or Foes?
The Risks of Low-Code Development and How To Prevent Them
มุมมอง 159ปีที่แล้ว
The Risks of Low-Code Development and How To Prevent Them
I wonder if this is happening at my company. Constantly getting told by financial audit team that there are issues with my direct deposit and that I should check my bank account routing and account numbers. I show them it's the same and then I still get paid. It keeps happening every couple weeks. Nobody seems to care either. It's bizarre.
Copilot is my favorite!❤😁
Please have some text-to-speech audio!❤
Excellent video! Microsoft needs to be more explicit about these credential sharing scenarios or else organizations will have a rough time protecting their data.
From our perspective, it's more about knowing which side of the shared responsibility model you sit on. Microsoft (and other AI vendors) are responsible for the platform / tool, but not the underlying data that it's grounded in, or how AI is used or processed by business users. This is where we come in!
4:42 - that's the perfect analogy, we're not trying to secure the cloud (that's what AWS/Azure/Google do), we're trying to secure what we build on top of it. Same for LLMs, we're trying to secure the applications! Well said!
Thanks for the feedback, and glad to hear the analogy landed! We see too many enterprises not fully grasping what piece of the puzzle they own, and there are always going to be vulnerabilities that hackers can exploit. It's all about managing risk, and taking an inside-out (i.e. AppSec) approach to this new world of AI!
Thanks for sharing this, amazing research and impactful results. We've been talking about the risks of LLM applications for a while and how indirect prompt injection is an unsolved challenge. It's really good to see this demonstrated in practice, in production, at scale. I like how you got around data exfiltration protections. Most applications now have learnt not to render markdown images and similar stuff in LLM outputs, but the idea of adding a reference is great. I saw another demo, maybe on Twitter, where you used the enterprise_search() tool to make the LLM search / access a URL, which is also a very creative way to exfiltrate data.