Persistence

In the previous section we covered some interesting ways to dynamically send data out of an organization. What if instead of dynamically sending data there was a desire to have more control over someones Office 365 account even if they change there password.

The request trigger perfectly helps to facilitate this capability. Once completed the request trigger provides a URL that can be used to start the flow. The URL will looks similar to this one:

https://prod-57.westus.logic.azure.com:443/workflows/.../triggers/manual/paths/
invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=...

The listener supports multiple request types including: Get, Put, Post, Patch, Delete. Custom request types can also be used.

The listener is waiting for JSON data. The easiest thing that I've found is to paste in a sample JSON payload and let Flow automatically format it in a way that it understands.

Doing it this way allows for Flow to understand and read the Keys and allow these fields to be select-able in the action triggers later within the flow. Flow will convert the JSON into something like this:

Now that the trigger is defined a connector needs built. For this example we're going to use the One Drive connector:

The variables are all defined based on the content that is passed from the JSON request. Once saved this Flow allows us to send a POST request to a custom Azure URL and based upon the data we pass in, it will create a file in one drive where ever we want it to go, with any name we want, and filled with our content.

With the right connectors this allows an attacker to establish persistent access to pretty much someones entire Office 365 account. This access lives on after a password has been changed.