KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Power Pwn Aka LOL Copilot Red Team Tool

Query

// Detect Power Pwn (aka LOLCopilot) Red Team Tool 

// DefenderXDR custom detection and isolation of machine if caught running LOLCopilot 😉

// Running at NRT (near-realtime)

DeviceNetworkEvents 
| where InitiatingProcessVersionInfoProductName == "Node.js"
| where RemoteUrl startswith "https://www.office.com" or 
RemoteUrl startswith "https://teams.microsoft.com"

// Sentinel detection on Entra Signin for possible LOLCopilot usage on non MDE endpoints

SigninLogs
| where TimeGenerated > ago(1h)
| where UserAgent contains "headless"

// Note: The above will no longer work if threat actor changes the Power Pwn Puppeteer script's setUserAgent value 

// Reference: https://www.wired.com/story/microsoft-copilot-phishing-data-extraction/

Explanation

This query is designed to detect the use of a Red Team tool called Power Pwn (also known as LOLCopilot) and take action if it is found. Here's a simplified summary:

  1. Detection in Near Real-Time (NRT):

    • The query looks for network events on devices where the initiating process is "Node.js".
    • It specifically checks if the remote URL starts with "https://www.office.com" or "https://teams.microsoft.com".

  2. Isolation of Machine:

    • If LOLCopilot is detected running, the machine will be isolated using DefenderXDR.

  3. Sentinel Detection on Entra Sign-in Logs:

    • The query also checks sign-in logs from the past hour.
    • It looks for user agents containing "headless", which might indicate the use of LOLCopilot on endpoints not protected by Microsoft Defender for Endpoint (MDE).

  4. Note:

    • The detection method might fail if the threat actor changes the user agent string in the Power Pwn Puppeteer script.

  5. Reference:

    • The query is based on information from a Wired article about Microsoft Copilot phishing and data extraction.

In essence, this query helps identify and respond to potential malicious activity involving LOLCopilot by monitoring specific network events and sign-in logs.

Details

Steven Lim profile picture

Steven Lim

Released: August 12, 2024

Tables

DeviceNetworkEventsSigninLogs

Keywords

DeviceNetworkEventsSigninLogs

Operators

==startswithor>agocontains

Actions