Maestro: Abusing Intune for Lateral Movement Over C2
If I have a command and control (C2) agent on an Intune admin’s workstation, I should just be able to use their privileges to execute a script or application on an Intune-enrolled device, right?
Not so fast.
I Wanna Go Fast!
- Take me to the GitHub repo!
- Take me to the attack path walkthrough!
- Take me to the defensive guidance!
The Problem
We often find ourselves in the context of a cloud administrator when following attack paths to objectives that require privileged access to Azure-hosted services. We want to use their Entra ID account’s privileges to execute actions in Azure, for example running arbitrary code on remote Intune devices (a.k.a. the “Death from Above” attack path detailed by Andy Robbins), but we have some hurdles to overcome to accomplish this from a C2 agent:
- We don’t have the user’s cleartext password
- Conditional access policies (CAPs) require multi-factor authentication (MFA) for access to the Intune Portal and/or a compliant, hybrid-joined device on a trusted network
- We need to maintain stealth
- We don’t have the knowledge, time, or patience to manipulate tokens and navigate the Azure portal or multiple tools
Let’s look at these problems one at a time and discuss the options available to us.
No Cleartext Credentials / MFA Required
No password? No problem. We already asked the admin nicely for their creds and they didn’t bite, and their password hygiene on the host is solid, but if the device has an identity in Entra ID, we can dump primary refresh token (PRT) cookies from the machine with tools like Lee Chagolla-Christensen’s RequestAADRefreshToken, Dirk-
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: