Query Details
Monitor Abusing Intune Permissions For Lateral Movement
Query
// Monitor Abusing Intune Permissions for Lateral Movement 🔛 // https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-permissions-entra-id-environments // The Mandiant blog discusses how attackers can exploit Intune permissions to move laterally and escalate privileges within Microsoft Entra ID environments. The Mandiant Red Team demonstrated this by abusing the DeviceManagementConfiguration.ReadWrite.All permission granted to Entra ID service principals. This permission allows the creation and modification of Intune management scripts, which can run with administrative privileges on devices. The blog also provides recommendations for preventing and detecting such attacks. AuditLogs | where TimeGenerated > ago(1h) | where OperationName has "Add app role assignment to service principal" | extend InitiatedByUPN = parse_json(tostring(InitiatedBy.user)).userPrincipalName | extend AppRole = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)) | extend ServicePrincipalName = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[6].newValue)) | extend ServicePrincipalObjectID = parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[5].newValue)) | where AppRole has "DeviceManagementConfiguration.ReadWrite.All" or AppRole has "RoleManagement.ReadWrite.Directory" or AppRole has "AppRoleAssignment.ReadWrite.All" or AppRole has "Application.ReadWrite.All" | project TimeGenerated, OperationName, InitiatedByUPN, AppRole, ServicePrincipalName, ServicePrincipalObjectID // MITRE ATT&CK Technique // T1098.003 - Account Manipulation: Additional Cloud Roles
Explanation
This query is designed to monitor and detect potential abuse of Intune permissions within Microsoft Entra ID environments, which could be used for lateral movement or privilege escalation by attackers. Here's a simplified breakdown of what the query does:
- Data Source: It looks at the
AuditLogsto find relevant activities. - Time Frame: It focuses on logs generated in the last hour.
- Operation Filter: It specifically searches for operations related to adding app role assignments to service principals.
- Data Extraction:
- Extracts the user principal name of the person who initiated the operation.
- Extracts details about the app role that was assigned.
- Extracts the name and object ID of the service principal involved.
- Role Filtering: It filters for specific roles that could be abused, such as:
DeviceManagementConfiguration.ReadWrite.AllRoleManagement.ReadWrite.DirectoryAppRoleAssignment.ReadWrite.AllApplication.ReadWrite.All
- Output: It displays the time of the operation, the operation name, the user who initiated it, the app role assigned, and details about the service principal.
The query is aligned with the MITRE ATT&CK technique T1098.003, which involves account manipulation through the assignment of additional cloud roles. This monitoring helps in identifying suspicious activities that could indicate an attacker trying to exploit Intune permissions for malicious purposes.
Details
Steven Lim
Released: November 7, 2024
Tables
AuditLogs
Keywords
AuditLogsDevicesIntuneUserServicePrincipalNameServicePrincipalObjectIDOperationNameAppRole
Operators
AuditLogswhereagohasextendparse_jsontostringproject