{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/intune/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Intune"],"_cs_severities":["high"],"_cs_tags":["azure","intune","device_management","policy","defense_evasion"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft Intune device management configuration policies provide administrators with the ability to remotely manage settings on Intune-managed devices. However, attackers can misuse this capability to disable security defenses and evade detection mechanisms. The creation or modification of device management configuration policies should be monitored closely for signs of malicious activity. This includes policies that weaken security configurations, such as disabling endpoint detection and response (EDR) or modifying firewall rules. Such actions can lead to successful lateral movement from Azure to on-premise Active Directory, as well as disabling logging/auditing capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure tenant, potentially through compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal and elevates privileges to gain sufficient permissions to manage Intune.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new Device Management Configuration Policy within Intune.\u003c/li\u003e\n\u003cli\u003eThe malicious policy targets specific devices or groups of devices managed by Intune.\u003c/li\u003e\n\u003cli\u003eThe policy modifies security settings, such as disabling Windows Defender, turning off firewall rules, or disabling security auditing.\u003c/li\u003e\n\u003cli\u003eThe targeted devices receive the policy update and apply the changes, weakening their security posture.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised devices for lateral movement within the network, potentially targeting on-premise Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or long-term persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise of Intune-managed devices, weakening their security posture and enabling further malicious activities. Attackers could disable critical security controls, allowing them to move laterally within the network, compromise sensitive data, and potentially impact on-premises Active Directory environments. The references indicate this technique has been observed in attacks involving lateral movement from Azure to on-prem AD.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Azure Monitor Activity logging for Intune and ingest logs into your SIEM (reference: data_source).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Intune Device Configuration Policy Creation\u003c/code\u003e to detect the creation of new device management configuration policies. Tune the rule based on baselining to reduce false positives (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any new device management configuration policies, particularly those that disable security features or modify critical system settings (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor for lateral movement attempts originating from Intune-managed devices, especially after new policies have been deployed (reference: references).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with administrative privileges, to prevent initial access (general security best practice).\u003c/li\u003e\n\u003cli\u003eReview Intune role-based access control (RBAC) to ensure least privilege and prevent unauthorized policy modifications (general security best practice).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-intune-config-policy/","summary":"Attackers can abuse Microsoft Intune device management configuration policies, typically used for legitimate remote device management, to disable defenses and evade detection on managed devices.","title":"Malicious Use of Microsoft Intune Device Management Configuration Policies","url":"https://feed.craftedsignal.io/briefs/2024-01-intune-config-policy/"}],"language":"en","title":"CraftedSignal Threat Feed — Intune","version":"https://jsonfeed.org/version/1.1"}