Microsoft Intune Bulk Device Wipe Detection
A high volume of 'wipe ManagedDevice' events from the Intune admin portal within a short period (5+ per hour) indicates a potential large-scale data wiping attack against managed endpoints.
This threat brief focuses on the potential abuse of the "wipe ManagedDevice" action within Microsoft Intune. An attacker who has gained unauthorized access to an Intune tenant may attempt to perform a large-scale device wipe. This action factory resets devices connected to the targeted Microsoft Intune tenant, leading to significant data loss and disruption. The technique has been observed in real-world incidents, such as the Stryker data breach, highlighting the potential for devastating impact. Defenders should monitor for unusual spikes in device wipe activity to identify potential malicious behavior. This brief provides guidance for detection and response to mitigate the risk of a bulk device wipe attack.
Attack Chain
- The attacker gains unauthorized access to a Microsoft Intune tenant, potentially through compromised credentials or exploiting a vulnerability.
- The attacker authenticates to the Azure portal and navigates to the Microsoft Intune admin center.
- The attacker identifies the "Devices" section within the Intune portal.
- The attacker initiates the "wipe ManagedDevice" action on multiple devices simultaneously or in rapid succession.
- Intune audit logs record the "wipe ManagedDevice" events, including the user identity, timestamps, and target devices.
- The devices targeted by the wipe command begin the factory reset process, erasing all data and settings.
- Users of the wiped devices experience data loss and are unable to access corporate resources.
- The attacker achieves their objective of disrupting business operations and potentially causing financial harm to the organization.
Impact
A successful bulk device wipe can result in significant data loss, business disruption, and financial damage. The incident affecting Stryker serves as a prime example of the potential consequences, impacting numerous devices and requiring extensive recovery efforts. Organizations in all sectors are vulnerable, particularly those heavily reliant on mobile devices for business operations. A successful attack can lead to complete loss of data on wiped devices, impacting productivity and potentially exposing sensitive information.
Recommendation
- Deploy the Sigma rule "Microsoft Intune Bulk Device Wipe" to your SIEM and tune the threshold (currently 5 wipes per hour) according to your environment's baseline activity.
- Configure Azure Monitor Activity logging for Intune and ensure proper ingestion into your SIEM to enable the detection rule.
- Investigate any alerts generated by the Sigma rule to determine the legitimacy of the "wipe ManagedDevice" actions and the identity of the user initiating them.
- Review and enforce multi-factor authentication (MFA) policies for all administrator accounts with access to the Microsoft Intune portal.
- Implement role-based access control (RBAC) to limit the number of users with permissions to perform device wipe actions.
- Develop and regularly test incident response plans for data wiping events, including procedures for data recovery and business continuity.
Detection coverage 2
Microsoft Intune Bulk Device Wipe
criticalDetects a high volume of 'wipe ManagedDevice' events from Intune, indicating a potential data wiping attack.
Microsoft Intune Wipe Device by Multiple Users
highDetects 'wipe ManagedDevice' events from Intune by multiple users, indicating a potential coordinated data wiping attack.
Detection queries are available on the platform. Get full rules →