Name:Microsoft Intune Mobile Apps id:98e6b389-2806-4426-a580-8a92cb0d9710 version:1 date:2025-01-07 author:Dean Luxton status:experimental type:Hunting Description:Microsoft Intune supports deploying packaged applications to support software deployment, this functionality can also be abused for deploying malicious payloads to intune managed devices. This detection identifies when a new packaged application has been added, updated or deleted. Data_source:
search:`azure_monitor_activity` operationName="*MobileApp*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | rex field="operationName" "^(?P<action>\w+)\s" | replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId | `microsoft_intune_mobile_apps_filter`
how_to_implement:The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly. known_false_positives:Legitimate adminstrative usage of this functionality will trigger this detection. References: -https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d -https://securityintelligence.com/x-force/detecting-intune-lateral-movement/ -https://posts.specterops.io/maestro-9ed71d38d546 drilldown_searches:
: tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Tenant confidence:40 impact:100 message:Intune packed application $TargetDisplayName$ $TargetObjectId$ was $action$ by user $user$ mitre_attack_id: - 'T1072' - 'T1021.007' - 'T1202' - 'T1105' observable: name:'user' type:'User' - role: - 'Attacker' name:'TargetObjectId' type:'Other' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'operationName' - 'identity' - 'properties.TargetObjectIds{}' risk_score:40 security_domain:audit
