Detection: Microsoft Intune DeviceManagementConfigurationPolicies

Updated Date: 2025-01-07 ID: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c Author: Dean Luxton Type: Hunting Product: Splunk Enterprise Security

Description

Microsoft Intune device management configuration policies are a tool administrators can use to remotely manage policies and settings on intune managed devices. This functionality can also be abused to disable defences & evade detection. This detection identifies when a new device management configuration policy has been created.

Search

1`azure_monitor_activity` operationName="* DeviceManagementConfigurationPolicy*" 
2| rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin 
3| eval details=mvzip('properties.Targets{}.ModifiedProperties{}.Name','properties.Targets{}.ModifiedProperties{}.New',": ") 
4| rex field="operationName" "^(?P<action>\w+)\s" 
5| replace "Patch" with "updated", "Create" with "created", "Delete", with "deleted", "assign", with "assigned" IN action 
6| eval action=if(match(operationName ,"Assignment$"),"assigned",'action') 
7| table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId details status tenantId correlationId 
8| `microsoft_intune_devicemanagementconfigurationpolicies_filter`

Data Source

Name	Platform	Sourcetype	Source
Azure Monitor Activity	Azure	`'azure:monitor:activity'`	`'Azure AD'`

Macros Used

Name	Value
azure_monitor_activity	`sourcetype=azure:monitor:activity`
microsoft_intune_devicemanagementconfigurationpolicies_filter	`search *`

microsoft_intune_devicemanagementconfigurationpolicies_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1072	Software Deployment Tools	Execution
T1484	Domain or Tenant Policy Modification	Lateral Movement
T1021.007	Cloud Services	Defense Evasion
T1562.001	Disable or Modify Tools	Privilege Escalation
T1562.004	Disable or Modify System Firewall	Lateral Movement

Exploitation

Installation

DE.AE

CIS 10

APT32

Sandworm Team

Silence

Threat Group-1314

APT29

Scattered Spider

Agrius

Aquatic Panda

BRONZE BUTLER

Ember Bear

FIN6

Gamaredon Group

Gorgon Group

INC Ransom

Indrik Spider

Kimsuky

Lazarus Group

Magic Hound

MuddyWater

Play

Putter Panda

Rocke

Saint Bear

TA2541

TA505

TeamTNT

Turla

Wizard Spider

APT38

Carbanak

Dragonfly

Kimsuky

Lazarus Group

Magic Hound

Moses Staff

Rocke

TeamTNT

ToddyCat

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub. Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly.

Known False Positives

Legitimate adminstrative usage of this functionality will trigger this detection.

Associated Analytic Story

Azure Active Directory Account Takeover

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`Azure AD`	`azure:monitor:activity`
Integration	✅ Passing	Dataset	`Azure AD`	`azure:monitor:activity`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1