KQL Search

Query Details

HomeAI ToolsDevice Query

Mass Wipe Or Retire Device Action

Query

# *Mass Wipe / Retire Device Action*

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title | Link |
| --- | --- | --- |
| T1072 | Software Deployment Tools | <https://attack.mitre.org/techniques/T1072/> |
| T1485 | Data Destruction | <https://attack.mitre.org/techniques/T1485/> |

### Description

Detects unusual spikes of Intune wipe or retire actions across multiple managed devices in a short window. A compromised admin, insider abuse, or malicious automation can trigger mass device wipes, leading to data destruction or denial of service. Aligns to **T1072 (Software Deployment Tools)** for abuse of management tooling and **T1485 (Data Destruction)** when wiping/retiring is used to remove assets or evidence.

Use this to spot:

- Admin or service accounts issuing bulk wipe/retire commands beyond expected operational volumes.
- Abuse of delegated or break-glass accounts to disrupt device fleet availability.
- Automated scripts or compromised API credentials initiating high-volume retire/wipe actions.

Before enabling, confirm your baseline for legitimate bulk operations (e.g., device refresh projects) and tune the threshold `WipeThreashold` accordingly.

Blog: <https://medium.com/@kurtli_thomas/detecting-threats-when-attackers-exploit-management-tools-microsoft-intune-71823956630d>

### Author

- **Name: Thomas Kurth**
- **Github: <https://github.com/ThomasKur/Sentinel-And-DefenderXDR>**
- **LinkedIn: <https://www.linkedin.com/in/thomas-kurth-a86b7851/>**
- **Medium: <https://medium.com/@kurtli_thomas>**

## Defender XDR

Mapping Proposal:

- Impacted Assets
  - AadUserId > Column: AccountObjectId


Potential Remediation Action: Mark User as Compromised or Disable Account

```KQL
let WipeThreashold = 5; // A normal engineer is not wiping more than 5 devices per hour. Can be adjusted for the environment.
IntuneAuditLogs 
| where OperationName in('wipe ManagedDevice','retire ManagedDevice')
| where  ResultType == 'Success'
| where isnotempty(Properties)
| extend Targets = extract_json("$.Targets", Properties, typeof(dynamic))
| extend TargetCount= array_length(Targets)
| extend Actor = extract_json("$.Actor", Properties, typeof(string))
| extend AccountObjectId = extract_json("$.ObjectId", Actor, typeof(guid))
| summarize TotalWipeOrRetireTargetCount=sum(TargetCount), TimeGenerated=min(TimeGenerated), Identity=min(Identity) by AccountObjectId
| where TotalWipeOrRetireTargetCount > WipeThreashold
```

Explanation

This query is designed to detect unusual activity related to the mass wiping or retiring of devices managed through Microsoft Intune. It focuses on identifying potential security threats, such as compromised admin accounts or malicious automation, that could lead to data destruction or denial of service by issuing a large number of device wipe or retire commands in a short period.

Key Points:

  1. Purpose: The query aims to spot unusual spikes in device wipe or retire actions, which could indicate malicious activity or misuse of administrative privileges.

  2. Techniques Involved:

    • T1072 (Software Deployment Tools): Abuse of management tools to perform unauthorized actions.
    • T1485 (Data Destruction): Using wipe/retire actions to destroy data or disrupt services.

  3. Detection Criteria:

    • The query looks for successful wipe or retire operations.
    • It checks if the number of devices affected by these operations exceeds a predefined threshold (WipeThreashold), which is set to 5 by default but can be adjusted based on normal operational activities.

  4. Potential Indicators:

    • Admin or service accounts performing bulk operations beyond normal levels.
    • Use of special accounts (e.g., break-glass accounts) to disrupt device availability.
    • Automated scripts or compromised credentials triggering mass actions.

  5. Actionable Insights:

    • If the threshold is exceeded, it may indicate a compromised user account or malicious activity.
    • Suggested remediation includes marking the user as compromised or disabling the account to prevent further unauthorized actions.

  6. Customization:

    • Organizations should establish a baseline for legitimate bulk operations to fine-tune the WipeThreashold and avoid false positives.

This query helps security teams monitor and respond to potential threats involving the misuse of device management capabilities in Intune.

Details

Thomas Kurth profile picture

Thomas Kurth

Released: January 4, 2026

Tables

IntuneAuditLogs

Keywords

DevicesIntuneUserAccountsAdminAutomationScriptsAPICredentialsDataDestructionDenialOfServiceManagementTools

Operators

letinwhere==isnotemptyextendextract_jsontypeofdynamicstringguidarray_lengthsummarizesumminby>

Actions