Wolves in Windows Clothing: Weaponizing Trusted Services for Stealthy Malware

hi everyone my name is Michael buery and I'm be I'll be uh this talk is going to be interesting because let me kind of share briefly what we're going to do we're going to show you how you can take trusted executables that are baked into Windows uh service accounts that are baked into windows and services that are part of the window of the office Cloud to operate your own malware all right so that's the promise uh let's see how it goes so briefly about me uh I've been kind focused on this area of you'll see in a moment but no code low code and the kind of things that business users are building for a long time now uh and I

founded a company that's focused on this area if you're interested if you're looking for something interesting to do reach out to me afterwards there's plenty of research we put out there uh so please check us out all right so the what I'm going to do in this talk is to try and get from initial access to a full uh operational uh malware now one thing that's so so two things are important to note here from the get go one is that I assume initial access okay that's the that's the start point I have access I have the ability to run code on somebody's a Windows machine and then I want to operate I want to create a malware

operation on top of it and let's just try to make sure we all understand we we're in the same page of what what do I mean by that so you have initial access to a victim machine which is great right you're like you won right um so actually no there are a few things in the real world that would that would stop you from actually doing anything with it right this uh this might be behind a firewall with an EDR uh in in in a corporate environment things are are difficult so you have initial access you need to be able to actually run malware on that machine right you need to be able to Comm to do command and

controls through Network parameters you need to be able to exfiltrate data back uh you need to to avoid defense as well while you're doing all of that and you need to persist in in case somebody tries to boot you off the machine and so there are plenty of things that you still need to do after initial access and when you think about this this this list of things these are mostly Grant work right this is not hacking this is mostly engineering there's a lot of operation involved which is great but as hackers we want to focus on what we care about we care about hacking so all of this thing right now we want somebody

else to take care of this for us now in today's world there's pretty much a SAS for everything right so what if we had a SAS that would solve this thing for us that wouldn't be nice that that would be probably pretty good uh so um let me introduce you to RPA Robo robotic process automation I'm not sure how many of you have heard of this but this is a technology that's meant to uh help business users automate their processes or help people automate processes and the way it works it has three separate components there's an agent running on on people's machines laptops um workstations as well there's a controller so something that can reach

out through the network to your machine and run something there and there's a cloud endpoint that allows you to manage all of that now the crucial thing about RPA is that it's trusted all of these things are trusted and what do I mean by trusted I mean that your EDR will will already have incl uh inclusion rules for all of these Services right so it would ignore everything here uh which is pretty great so RPA is what we're going to use here because it's it seems like this is the service we want right it's like a remote remote code execution as a service which is awesome this is what we're going to use and so one thing

that's important to not is that RPA is really anywhere I I put here like the the main RPA vendors uh that are out there but in in any major Enterprise you'll find at least one of them and I'm going to pick on Microsoft in this talk uh because I mean why not it's it's kind of uh the thing that we're doing but um but but this is actually a problem with RPA as a whole like with with this type of of of thing you'll see in a moment why I I focus specifically on Microsoft um and so RPA is going to take care of everything for us so everything we we wanted earlier command and control

exfiltration uh avoiding defenses persistency clean up but it's also going to do a whole bunch of more things because when you build a malware you need to think about the different 's that you want to support you you need to be able to handle errors you need to be able to do retries updates all these things are taken care of for us which is nice right it's it's really like a built for our purposes so this is what we're going to uh um how LPA is going to help us um and so just a kind of a a quick understanding of what RPA is the idea is to replace the copy paste uh uh copy

paste integration that business users are building are doing so like if you want to move a file from one place to another people have been doing that for ages we've been trying to tackle it with DLP and all sort of solutions that didn't really kind of uh solve the problem this is an attempt to automate that process and the key feature about RPA is that it works as the user on the same session as the user so it imp personaliz the user by design it means that it can operate in Tangent with the user so the user is interacting with things on their computer and in the same time the bot is interacting with those

same things with those same same same credentials same permissions everything is is is the same right so it's very difficult to distinguish what an RPA agent does on a user's behalf and what a a user does all right and it can run on users machines it can also run on dedicated servers to do some more heavy lifting because people are also using RPA for like heavy Enterprise processes uh and and use cases I mean there are there are many of them like C onboarding and offboarding uh Financial uh financial management reporting there are plenty of use cases for automation uh this specific automation again is the the number one thing about it is because it emulates the user it's able to uh

integrate with things that don't have a proper API so if you have a legacy system that doesn't speak to anything else like I don't know a healthcare system that people are plugging in data from that system to some other system so RPA could help you there but again it also means that you're operating as the user inside of the user context and so here's what we're going to do today we're going to start we just covered uh the motiv like what are we actually going to achieve him here uh we also talked about what I'm going to kind of briefly show you an example of what RPA is so we all make sure we're on the same

page uh and then we're going to do a technical Deep dive to understand how we can exploit this we're going to see how we can take RPA and and turn it into rce as a service I'm going to introduce you to a tool that will do all of that for you and of course we'll finish with difference understanding how how do we protect ourselves from this thing all because of course this is the this is the goal here um so just as a quick example to make sure we all on the same page on what RPA is um when I was a teenager I used to play in a game called tibia I'm not sure

if any of you if there are any tibia fans here I didn't get I I'm I'm not finding a lot of those but uh I spent like the majority of my teenhood uh do play playing this game and what you're doing there is actually um it's it's like an early MMO RPG right but the vast majority of the time you're not doing what you want to do which is kind of go in quest and play with your friends you need to do some uh you need to do grw in order to level up uh and in this particular case you do fishing so fishing means you go to a pond and you click on a worm and then you click on on

on the sea and then you click and you get some fish and you click and you get some fish and you click and you get some fish and it's terrible right you spend hours doing this thing and so I really wanted to automate this thing because it was too much uh and so this is this is kind of the equation that you that you're going through so I wanted to do something better and then I came up with a with a very good idea um physical automation so and this is an illustration but I couldn't find the real uh the real uh picture this is really what what I used to do I used to

go to sleep with like heavy things uh on on my keyboard and mouse and when you wake up in the morning in the morning one of two things happened either you leveled up or somebody uh killed your character and and you're you're not in a good stape um of course this doesn't hold uh because this this is very basic right you can only click things so the next level up after you do this thing is to use uh some sort of a program that records your screen You Records what you're actually doing and then replays it and the cool thing about this thing is that you can also share it with other people so this kind of made me popular

for a second there because I could share it with my friends that could also fish automat ially at night and then you can see what this thing is actually doing so I'm recording an entire session of me like uh uh fishing around and then this thing will replay it overnight okay so this is this is a funny example but this is actually what RPA is and now like I don't know 20 20 years later we are we are using this kind of technology to solve Enterprise problems all right so now that we understand what RPA is and we have an example in mind which is very relevant to the Enterprise uh setting we are going to look into RPA and what and how

RPA works because if you don't understand that then you won't understand uh how am I achieving what what what you're going to say in a moment so I'm going to focus on Microsoft and this is the reason every Windows 11 machine has an RPA agent built in to Windows right now so open up your your laptop you'll find this agent look for Power automate it's already there so this is the reason why Microsoft is definitely the thing to focus on um and so let's try and look at how this looks like so when you open a brand new windows 11 machine you'll find this screen um and then let me show you

hopefully all right yeah so we don't need the videos but basically um when you when you log into this let's let's do it here so when you find this power automate agent on your machine the next thing that this will uh that this will uh pop up is like a signin screen and that signin screen allows you it asks you for for an office uh user account whatever account you have this could be your personal account this could be your corporate account whatever you have right and once you do that this agent will start sying with the relevant ual tenant so it could be again your personal like a personal account and then it's the shared tenant

or it could be a corporate tenant it's going to fetch all of the different automation that you've already set up on the cloud side and then you can just pick them up and use them and so sorry all right and so once you do that this is the screen that you're that you're seeing after you log in and you can see a whole bunch of uh so in this case those are payloads because I've pre-prepared this but this could be just like regular automations and you can see on the upper side that this goes to an environment at something called pontos pontos is actually just the malicious tenants that I've created all right and so this thing is synced with the cloud

again this is my Windows machine talking to to office and so we need to understand how this thing actually works because recall that Microsoft has put this inside of Windows 11 they didn't ask any network admin team in the world to open up different ports right so something is going on here that allows the Windows machine to communicate with office in whatever setting you might be in and so on the on the left side on the machine side power automate is actually comprised of multiple different executables the first executable that you saw that uh that you'll see for the signup is is the is power automate it communicates with something called machine runtime which is actually uh a

service that's going to go up to the cloud and pull uh pull uh payloads that it needs to toh to run uh and this is running on a on a on a on a service account you can see the service account there okay that is automatically being created on on your machine um Power automate also allows you to run a bunch of uh automations on the browser so again by default you can um you can install a a plugin on your browser that takes full control of over your browser in Edge this would be automatically deployed in some cases uh in other in other browsers you need to install it and then it would would allow you to do

like it would allow power automate to operate on your behalf on the browser so in order to do this there are uh specific executables that that communicate with each one of those now if you're looking for a place to do some research I really recommend this this is a I've just described like three executables out of this entire thing all of this thing is is already in your Windows machine and the attack surface is huge and not a lot of people are looking at it so if you're looking for a uh easy pickings uh I really recommend but all right uh this is the machine side now let's try to figure out how does the how does power automate how

does the RPA agent work with office how does it trans uh Works through this uh uh corporate boundary so the way it works is actually with a with a niche piece of software that's called Azure service bus or Azure relay basically both sides are oper are creating outbound connections and then there's no inbound connection to your network there's outbound connections from the window Windows machine through your firewall or whatever uh to pull on on this queue now most people are not blocking uh outbound connections especially not to uh to Microsoft Services right and so this is the way that it operates so this is basically uh a a message box where people can leave messages where office can leave messages

for your machine to execute all right and so once you once you sign in then on the office side this is what you see this is basically um a way to So you you're seeing all of the machines that I've infected you can see their versions you can see the ones that are connected or disconnected you can see how many automations are running on on those machines and you can actually go further and you can execute things from the cloud to the machine through this mechanism of of queuing um you can also look at each individual task that you've scheduled through the cloud and see what exactly happened like full logs and if something uh was failed you can rerun it

so everything is is is handled for you um and so this is pretty much what we needed right and so now I'm going to show now now that you understand how this works I'm just going to show you how uh what we can do with it as as hacker so for from now on uh we are wearing the hacker hat and we're not describing the service anymore but we're describing how we're going to use it all right so this is my wish list and uh let me go through the wish list one by one um so first of all deploying the malware to to start this thing what we need is a malicious Microsoft tenant uh this is

pretty easy to get right so I've created a something here called pontos which is kind of a I don't know a nice reference for Microsoft um and you can create this tenant uh free no credit card needed then once you do that you go to Power automate it will tell you hey you need to introduce new machines and so in order to introduce new machines um you well you didn't see that that uh because the video didn't work but what you're seeing right here is the sign in screen that uh that people need to log in through when they when they enter when they first go to Power automate and so what we really need is to use our

account not like note this account here this needs to be our hacker account because this is the moment where we register a users machine to our tenant rather to their own home tenant once we do that the machine is uh is onboarded to our malicious tenant we're a global admin we can do whatever we want right so we can also run things on their machine and so this is the crucial piece now you can do this with UI but well as a h that that wouldn't be that would that would wouldn't really help us and so we need a way to circumvent this thing this registration form and and so this the question is can we avoid that

and the answer is that uh of course so Microsoft actually has a pre like an existing um executable there called uh machine registration. silent which is awesome uh and then you can use this uh this nice little script to register the machine to your own tenant and you can see that uh this is the this is the command that I'm using here right here all right so it's it's like a oneliner very quick and this machine is now registered to my interet and by silent it means that this machine does nothing will pop up on the machine side right if you go to Power automate and you try to log in you you wouldn't see that it's

already registered right you can you can check registry keys we'll we'll go into that uh later in this talk all right now this is great but uh if your if your eyesight is especially good then you have picked up uh you know uh yeah um you have picked up on on this little on this little thing right here which is that I'm running this as an admin which is like a yeah I don't know it's not good right we want we I mean if this is only something that that requires admin machine admin access to the machine then this would be terrible and so we wanted we really wanted to find a way to circumvent this protection

and to run this as a user so we did a very sophisticated thing we just tried uh and it actually worked so why not um I mean yeah so so it works um and and by the way once you do that of course the machine is now registered here uh to your malicious tenant so you can go to your malicious tent you can view the machine specifically this is Windows 11 which I just infected and it's connected and you can see the version of the agent and so on uh which is kind of nice so uh I just showed you how to infect a machine that's it that's what you need to do again when you run this command

line right here no Ed will will will stop you because this is something that enterprises are already doing I mean it's it's something that they need to do and so all right in order to trigger this thing from the cloud then I need to do a couple of things first of all I choose like uh that I'm going to run this automation on some on self sof machine I need to um to specify like the the specific machine and credentials for that machine I can run this with any user any user on your local machine right not just a single user by the way this opens up another threat uh Vector because think about a machine that just

gets uh a stream of payloads with with usernames and and passwords on top of but that's a topic for another talk um and then I need to choose a payload and these are the payloads that I already submitted to my cloud all right and now one thing that I need to figure out is what happens if a user is working on the machine so if somebody's already working on the machine and I'm going to run some sort of payload is it going to conflict with them or not so how do I how do I man manage that and if somebody is not logged into the machine will it still work so um the good thing about this is

that RPA has already solved this problem for us that's why we're using SAS right so you have two versions of RPA attended and unattended which basically means uh whether you are sharing a session with the user or not if the user already has a session that they're working on on their machine then you just join their session this is called attended RPA but if the user doesn't have a machine they're not logged in h doesn't have a session they're not logged in so you can just create a session do whatever you want and then discard that session all right so both of these things work out of the box and so we you seen like I didn't do

anything until now really like this was just uh creative reading of docs but what you have already seen is that I can deploy malware def defense evasion is is kind of obvious right because well it's all signed by Microsoft and persistency is also obvious because Microsoft is treating this for us right Microsoft is creating this mechanism it needs to uh to be able to still be there once you boot and everything and so this is all taken care of us taken care for us by RPA and so now we'll going to um have some fun because uh we've reached that point when we where we can start like uh uh looking at what we can do with this

so let's start by data exfiltration what you're seeing here on the left side is actually uh the way that the RPA uh like the way that you create tasks on RPA you can see this is kind of a drag and drop interface there's a whole bunch of actions here and this is the thing that I'm actually doing and you can see that this data exfiltration payload is pretty simple I'm getting as an input uh a specific file that I'd like to uh that i' like that I'd like to that I'd like to get and then as an output I'll get the content of that file right and this is just like there's an arrrow block

here some some engineering but other than that it's it's it's pretty simple and on the cloud side so again the input is give me this specific file with the secrets and this file is now and and the uh the content is being shared through the cloud so again just to make sure that we understand what's going on here because I've just did I just did the data exfiltration from a Windows machine to uh to my own malicious cloud and we need to figure out whether you would you would have found this on the network or or on any perimeter that you have or any logs that you have um so let me convince you that you would not um remember that

remember this this uh screen that we show earlier this architecture the way that this works is that the instructions are being written to office again to my malicious office tenant and then the payload goes through the this trusted Communication channel and the exfiltration the output goes through that channel as well all right so you wouldn't find this uh you wouldn't find this machine going out to a random IP somewhere to dump data no this is all in trusted communication with Microsoft with an office account H that would be pretty pretty difficult to uh uh to pin down all right so the next thing I want to I want to get to is code execution like full on code execution all right um

and in order to to do that um again RPA treats this already for us so I'm not sure if you can actually see but there are but the RPA agent has built in a way for you to spin up scripts on the machine then you can use whatever you'd like you can use Python uh JavaScript command line po shell these are all available for you and so this is an RPA uh payload that takes as an input the type of command that You' like to run so which interpreter am I am I using and then the actual script and it will run it for you and give you back the output and the and the errors uh and so this

thing is actually pretty cool so let's try to run it but when I try to HDE it I have a I I get this little popup that we really didn't want to uh uh to have happening and so this is and this is identify I've used this to to run mimic ads through a command line and so of course this is finding us right this is that we are being flagged why we're being flagged because well that the RPI agent is trusted but when you run a command line that that is trying to run mimic ads I mean you will get caught right and so we are in a kind of a pickle because we

want to have full code execution but when we will if we start a script from the power automate agent then this script would definitely get caught would definitely be like the place where edrs are looking for so how do we circumvent that well notice that this thing is already H already implements some sort of some uh some some level of like programming right this have an this has an if statement it hand it handles errors there are some things that we can do with no code just with no code just inside of the RPA agent and so the next thing you you need to ask yourself is how sophisticated can we get only using no code like only using this drag and

drop interface without using any scripts at all and so and so this is the next the next so this is what would trying to find out right now and the answer is that we can do a whole bunch more a whole lot so this is the list of actions that are available for you you can do things like uh you can uh you can change registry keys you can in uh you can work with the windows uh processes you can read and write files you can uh set up an HTTP code you can encrypt files with a handy encryption function right here uh which is kind of nice if you want to uh if you want to like play around with

it uh so you can do basically everything and actually since I've created this slide Microsoft also introduced actions that do things on the cloud side you so you can do things on aactive directory Microsoft graph SharePoint all of those kind of the Microsoft statisfied with uh which is kind of awesome so actually we can do a whole bunch more a whole lot more with this thing and so we can stay with no code Primitives and we can achieve things that uh usually would take like a heavy scripting and and so let me show you a couple of examples the first one no code ransomware um I mean it's it's it's it's very easy right I

just I just I get I get as an input like a file like a root file and then I'm iterating through all of the directories recursively and then for each file I'm going to use the encryption function provided by Microsoft and then just encrypt it and uh dump dump the encrypted file uh on top of the of the original file right and this just this this just works and this is all within the Microsoft executable right all right and and and just as as outputs here I'm I'm taking a few things like uh how many files that was I able to encrypt and like statistics because well we need we need to know that um another

example all right I think this will not work yeah this will not work but what I wanted to but this this is a like very brief demo where I basically showed that this thing you can you can run it from the cloud right but if you if you want to check it out like there's a link here it's already up on YouTube but basically the the the thing here is that while you build this uh while this thing will run on on somebody's machine you can very easily as I show as as you've seen earlier in the slides you can uh run this through the cloud and you get all of the Telemetry back to your Cloud all

right okay you what you can also do is clean up because like one thing that this agent does is generate a whole bunch of logs because this is again this is something that is supposed to be used by an Enterprise so if you go to to the relevant temp folders you'll find a whole bunch of logs on what this agent actually do does so how do we uh make sure that nobody catches us we just use the agent to delete all of those files why not I mean it's a documentation we know exactly where those are all right so no code cleanup again I'm just iterating through those fold those folders with with the log that I know I

know where they are because it's in the docs and then I'll just delete the logs all right so one other thing that we can do because we we talked about the browser side and and the the thing is that if you have this RPA agent that uh installed on your browser as well then I can basically steal any token that you have on your cast on your on your browser right because again I'm impersonated the user and so again I think I have this in a in a YouTube video so I don't think you'll be able to see it but what I actually have what I've actually done here is just like created a very simple script that opens

up the browser and then goes specifically to power automate like the office Cloud version and just steals the users token because I mean why not it's very easy and the thing the The crucial thing here is that you can open the browser in a minimized version because again the RPA is is is is built by Microsoft and by others as a way for you to uh to run things on users machines on in the Enterprise you don't want to disturb those users right you don't want them to have a browser pop up and something automatically happening so we can use the same mechanisms for our purposes as well right um and so this is this is what you you will see here if

you'll go to this link all right and so as a quick recap what we've done so far we were able to go through the entire checklist of the things that we wanted to do uh so we deployed malware with the trusted service we like defense evasion and persistency were kind of obvious we did command and control exfiltration cleanup you also saw a specific ransomware payload but you can actually play around with this and do a a whole bunch more so I really encourage you to do that uh I I'll show you how in a moment and we also s credential access through the browser or rather I talked about it um and so if you want to play around with

this yourself um so here's a tool this tool is allowing will allow you to do everything that we just saw saw in the stock uh like like the the all of the payloads are already included there uh the infection script is already there you'll also find um links and more details that that I'm going to share uh in a few moments on how to protect yourself so this is all there this is actually uh a second version of this tool I gave an earlier version of this stock at Defcon last year and so this is the second version of this of this two where we go through a whole bunch more than just uh run someware there's a

there's a back door there's fishing where there's internal fishing uh there's a way to dump data with guest access I just gave a talk about this yesterday so check this out this is a a whole tool set around the no code low code capabilities that Microsoft has built into office um what powerp point is going to do for you is automate everything that we've seen up until now but for us as security folks so we can work with this without UI and like draging and droing right we we we want command line and so uh the way that I'm generating a command line here is that I'm actually creating an automation on the cloud side that um is triggered by

an HTTP request and then I have a error handling uh all all figured out for you uh and then it's going to execute the payload of somebody's machine and there's one endpoint that controls a whole bunch of payloads so any payload that you saw here in this talk is available through the tool and then what you actually need to do is just post just just do a post request to the to the endpoint that's generated here by Microsoft on your own tenant right this is also available through a a nice little CLI with with PowerPoint so check it out it's kind it's kind of cool all right so we figured out how to use RPA we figured out uh we we saw what

we uh what RPA is and we saw what you can actually do with that what do with this the next thing I want to I think it's important to to to discuss is like the communication with Microsoft about this thing and so let me yeah let me show you uh what has happened so far so this was actually first found in uh last year uh so when I talk I gave a talk about this at defon and Microsoft pretty much said this isn't a nonissue like everything here is uh like it's uh I think the the exact quote was that this requires uh social engineering in order to to work uh which is does not but all

right um and so that's that's where we were last year uh s then Microsoft actually issued a fix and we're going to discuss this fix in a moment um but the fix was issued for specific version so this is a this is something that that is on your machines so you need to update in order to get that fixed we don't have a cve for that uh they did acknowledge at the end like uh just a couple of weeks ago that that this uh this is related to our research um but there's still no cve for it right so what's what's the actual fix here what actually happens is that the The crucial piece is

that I was able to register this RPA agent to my own tenant rather than the home tenant of the uh of the user right so in an Enterprise setting the user is already logged in the machine is probably ad joined or at least aad joined and so the machine needs to know that there's already a tenant for that machine right and so by default if you use a a secure version of power automate desktop they have made it so that you cannot uh register the agent to another tenant if if you have if you already logged in with a tenant but there are a few crucial things that are missing here one is that there's no CV and earlier

versions of power automate desktop are still vulnerable so you still probably have business users that have this older agent that could still be owned the other thing is that well the default is secured but you can definitely move to an insecure default and there are actually reasons to do it most Enterprises don't have one tenant ID they have lots of them and once you have lots of lots of talent IDs then you need to switch off one of these uh secure Flags which would allow an attacker to use that as well um and so any machine that's not aad joined is is still is still in a problem is still is still vulnerable and this is probably not an

Enterprise setting but well who cares about consumers uh we have uh insecure configuration that would that would cut you and we have the uh older version of power automate desktop again no CV so you need to do you need to manually make sure that people are updating their uh their agents all right so this is the this is the work that we've done with Microsoft actually like I'm joking about them but in the last few weeks they were they were kind of nicer so uh we're getting along good now um and so let's let's like like a very quick recap of what we've seen so far we saw what RPA is we mentioned that it's

available on every major Enterprise right now we did a technical de Deep dive into RPA we saw how you can abuse RPA and basically turn it into what it is uh remote code execution as a service we saw that you can distribute payloads we sell Power Pon which would allow you to play around with this thing I really encourage you to do that because there's plenty more play payloads that you can actually create and the last thing I need to give you uh is is something to do with it right so a way to protect yourself uh and so let's go let's do that all right these are the best things that we've discovered so far to and

catch this attack or prevent it on on your talent I mean the number one thing you need to do is Monitor any usage of these two executables one is uh for command line and the other is for for power shell if you see any weird things going on with these executables this is a giant red flag right especially if you see a tenant ID that doesn't belong to you I know that's a difficult task to always have like a an updated list of tenant ID that uh that belong to you but it is what it is right this is the best thing that we can do uh to protect from this because once somebody has already

registered one of those machines one of those agents then you're in a you're in a tough place right it's it's it's difficult to to do something with it unless you actually get a hold of that machine um the second thing is that kind of so again the first two thing are kind of similar the other thing is that you can actually apply there's a link there I'll show the slides afterwards uh you can actually apply a bunch of best practice on the like there are configurations that you can that you can uh create to harden your environment even more but this requires changing registry keys on your users's laptop so if you have a way to do that in a way

like that's comprehensive go ahead um and the last thing that I'll mention is that this is like this has been uh focused on how an attacker could live off the land of this power automate thing but actually business users are are using this and when you think about putting uh Power in the hands of business users for them to automate things connect anywhere uh with their own credentials then you can think about the kind of things that would happen right we can't expect them to make consciously good security decisions so there's plenty of things that that can go wrong and if you're interested there's an OAS uh project that's dedicated to to these things the things

that business users are building it's called the OAS PL code no code top 10 um I think with that thank you very much [Applause]

yeah if we have any questions uh feel free mention you mention there's two flags Microsoft fix there's two flags introduce to you a know and what prives are on those flags to unset them or change them back to what they were sure so the question because the mic didn't work at first the question was about the two flags that I've mentioned that Microsoft has introduced these are indeed set by default on the on the newer power automat desktop uh agents and so by default you're fine if your machine is a joined and you have an updated uh an updated agent however uh like you can just change those register keys in know to do that you need to be

an administrator on the machine it's admin to change and back yeah on new machines that have just been introduced you're fine in an anop selling all right any more

questions okay I'll be here afterwards thank you very [Applause] much