Name:Microsoft Intune Device Health Scripts id:6fe42e07-15b1-4caa-b547-7885666cb1bd version:1 date:2025-01-06 author:Dean Luxton status:production type:Hunting Description:Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. This detection identifies when a new device health script has been added, updated or deleted. Data_source:
search:`azure_monitor_activity` operationName="*DeviceHealthScript*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId | `microsoft_intune_device_health_scripts_filter`
how_to_implement:The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. known_false_positives:Legitimate adminstrative usage of this functionality will trigger this detection. References: -https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d -https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ -https://posts.specterops.io/maestro-9ed71d38d546 drilldown_searches:
: tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Tenant confidence:40 impact:100 message:Intune device health script $TargetObjectId$ was $action$ by user $user$ mitre_attack_id: - 'T1072' - 'T1021.007' - 'T1202' - 'T1105' observable: name:'user' type:'User' - role: - 'Victim' name:'TargetObjectId' type:'Other' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'operationName' - 'identity' - 'properties.TargetObjectIds{}' risk_score:40 security_domain:audit
