Techniques
Sample rules
Microsoft Intune DeviceManagementConfigurationPolicies
- source: splunk
- technicques:
- T1072
- T1484
- T1021.007
- T1562.001
- T1562.004
Description
Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. This functionality can also be abused to disable defences & evade detection. This detection identifies when a new device management configuration policy has been created.
Detection logic
`azure_monitor_activity` operationName="* DeviceManagementConfigurationPolicy*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| eval details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',": ")
| rex field="operationName" "^(?P<action>\w+)\s"
| replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
| eval action=if(match(operationName ,"Assignment$"),"assigned",'action')
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details status tenantId correlationId
| `microsoft_intune_devicemanagementconfigurationpolicies_filter`
Microsoft Intune Device Health Scripts
- source: splunk
- technicques:
- T1072
- T1021.007
- T1202
- T1105
Description
Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. This detection identifies when a new device health script has been added, updated or deleted.
Detection logic
`azure_monitor_activity` operationName="*DeviceHealthScript*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript"
| replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_device_health_scripts_filter`
Microsoft Intune Mobile Apps
- source: splunk
- technicques:
- T1072
- T1021.007
- T1202
- T1105
Description
Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. This detection identifies when a new packaged application has been added, updated or deleted.
Detection logic
`azure_monitor_activity` operationName="*MobileApp*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+)\s"
| replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_mobile_apps_filter`
Microsoft Intune Manual Device Management
- source: splunk
- technicques:
- T1021.007
- T1072
- T1529
Description
Microsoft Intune device management configuration policies, scripts & apps are a all tools administrators can use to remotely manage intune managed devices. Instead of waiting for the devices to poll for changes to polciies, the policies can be manually pushed to expidite delivery. This may be useful in a pinch, it may also be a sign of an impatient attacker trying to speed up the delivery of their payload. This detection identifies when a device management configuration policy sync events, on-demand remediation scripts are triggered or when devices are remotely restarted.
Detection logic
`azure_monitor_activity` operationName="*ManagedDevice*"
| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
| rex field="operationName" "^(?P<action>\w+)\s"
| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
| `microsoft_intune_manual_device_management_filter`