You’re offline. This is a read only version of the page.
Announcements
Good Afternoon,
Our EDR security solution seems to be flagging down what seems to me like a Power Automate local install onto a workstation using the microsoft.flow.uiflow.msi installer package. In one of the processes, PowerShell is invoked in order to execute fileless content, which is being flagged as suspicious and thus, Denied. Below is the script that was attempted to be executed:
Share
Report"C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -c " try { $assy = [System.Reflection.Assembly]::LoadFrom('C:\Program Files (x86)\Power Automate Desktop\Microsoft.Flow.RPA.Service.Core.dll'); $rdCoreClientType = $assy.GetType('Microsoft.Flow.RPA.Service.Core.Platform.RDClient'); $constructorInfo = $rdCoreClientType.GetConstructor(@()); $rdClientInstance = $constructorInfo.Invoke(@()); } catch [System.DllNotFoundException] { <# Note[guco]: This is the exception we get when there is a broken VC redist install. #> exit -42; } catch [Exception] { Write-Host $_; } "
Is anyone aware of what this is and if it's a legitimate process in Power Automate? I'd seen this posted before in the community forum, and OPs security team flagged down this process as potential credential dumping. As a security professional I want to understand what this script is trying to do and whether to trust this or not.
Any help is greatly appreciated.
Thanks in advance.
All responses (
Answers (
538
