BSidesROC 2025 - Investigating a Malicious Script in Microsoft Intune - Dennis Labossiere

I grew on the W no I grew up on the west coast Japanese all right hello again everyone for the final time for people who have heard me speak before we are going to get started one more time I have been told that uh the pronunciation is very French so this is denil leier and he also doesn't have a bio that I'm going to read because he has his own bio stuff [Applause] right Daddy yeah uh everyone can hear me right I don't like the way my voice sounds in these things so I just want to make sure um welcome this is a DFI case study investigating a malicious script within Microsoft in tune so first before we get

into the who am I and why why you should be here let me talk to you about what I'm going to talk about uh we're going to go over the agenda we're going to Baseline in tune we're going to talk about some forensic analysis I'm going to give you the tools that were used for this analysis some of the research I use to build the lab D the analysis and all that then I going give you a little summary so first things first who am I I'm Dennis laaser uh laier however you want to pronounce it all good I have about 10 years of digital forensics incident respon incident response experience all with KPMG um for those that under understand

or or or if it matters I have a master's and a bachelor's degree both from UA College couple hours down the road uh both in cyber security uh digital for cyber crime cyber operations I do have a couple of certifications uh for those that for it matters gcfe gcfa Sentinel one siren uh certification and a few from miter attack Defender what are my passions well I love investigating ransomware incidents I hate when they happen uh but I do love investigating them I love anything dfir but a big passion of mine over the last couple of years is one of the big bug word Buzz words in the industry which is threat hunting um I enjoy threat hunting a

whole hell of a lot I love to be able to solve puzzles and find problems and when puzzle pieces are missing some people would get really annoyed I get really zoned in I want to find that puzzle piece um and with that I like to do some detection engineering or just building detection logic in queries so that threat hunting doesn't necessarily have to happen anymore but we can detect on it if it does happen um and then about me um who am I why do you want to be here and why am I interesting well I'm not but uh I I am a husband a father of two little boys a four-year-old and a seven-month-old

um I was a former collegiate baseball player at UA so I'm very familiar with RT's campus I had to run around the campus Because I played pitcher so when I pitched I had to run around the campus so about three miles uh every time I was here uh and I did four years of the school so I was here a lot um and then I am a glamour camper for anyone that doesn't understand what that means yeah I glamp uh that means I have power um yeah and toilets um I have electricity so I can sleep at night with some AC and what have you um and my in-laws have a nice little mobile home uh on a creek

bed so we can do some fishing right outside the door uh I love that and I do love to cook my dad's a chef whiff them what's in it for me why do I want you to be here what are you going to learn well I love this saying we all have something to learn and that's something I learned early in my career someone one of my mentors said to me it's something I've been saying ever since then we all have something to learn and in this case we have something to understand some of you may not know what Microsoft in tune is some of you may not know what dfir is in this case

we're going to talk through the processes and some of the artifacts that would exist from Cloud to on Prem so we can build new defensive measures as a result we can get a new analytical technique maybe we didn't know you could go to this specif registry key or have this event log log this information um or maybe you just understood or found a new data source as a result of this talk secondly remember you used to use all available Telemetry if an attack happens in the cloud like it did in this case but it pivoted to on Prem well we have log sources in at least two different places the endpoint that was affected on Prem and the cloud well and

then I'm going to share a story from the trenches this is a case study after all so I'm going to talk to you about the real world case that inspired this talk and then because I have a passion for detection engineering maybe you will develop that passion as well and you'll build a new defensive technique or a detection query based on this information some caveats I recreated this case in a test lab so this was done at my own expense on my own time I built a test environment it contained a single Windows 10 virtual machine and a uh Microsoft Azure entra ID connected um managed by InTune so I had an InTune entra all free with the trial licenses

and a VM great when you come to talks you may hear an agenda and someone told me they were ex-military so those military folks you'll understand this tell me what you're going to tell me tell me and then tell me what you told me this is the tell me what you're going to tell me all right I'm going to provide a brief background on a real world intrusion that inspired this talk we're going to base line Microsoft in tune because in order to find evil you have to know normal to have normal you have to have a baseline I'm going to describe to you the methodology and available Telemetry forensic information that so you can do

something similar in your network if it's in tune managed I'm going to recreate the attack in in a lab environment we're going to walk through it I'm going to list the tools as I mentioned in the agenda and then I'm going to provide the research great incident background June 10th 2023 approximately 12:33 in the morning real early right UTC um KPMG responded to an incident at one of our clients um where their Global admin in Azure was Sim swapped the attacker then removed Global admin from every other user account in the environment except for the account that they now controlled effectively locking the client out of their Azure environment this is scattered spider for those that don't know um they go by a

lot of other names ler 3 star fraud octo Tempest whatever you want to know them scattered spiders the crowd strike name other ones have other nomenclatures regardless they're known as scattered spider um on June 13th 3 days later it was uncovered that this attacker had modified um a in tune script that existed in the client environment named update teams firewall rules great sounds pretty normal about what that would do we can anticipate that that probably updated the firewall local firewall rule to allow Microsoft teams that was created by the client and existed in the environment before the way InTune works is you have a script also known as a policy and it runs an underlying script

in this case was Powershell and that Powershell script was apply named update teams firewall rules. PS1 that script was modified by the attacker and what that did was it downloaded a EDR solution from another client that scattered spider had compromised and pushed that to a group of endpoints managed by InTune and installed Sentinel one all in one script the problem with that is our client's EDR was crowd strike so this is fairly easy to detect from a forensic response standpoint of hey if you run crowd strike in your environment but Sentinel one's being installed in these endpoints that gives us a pivot point it also lets us know that there's Telemetry available to us so that's the attack

background next we're going to Baseline in tune we have to know normal to find evil so the first thing you're going to want to do is get your user object IDs for all your users in your environment this will come in handy later in this case in my test lab my user principal name was debosier at DL in tun testing microsoft.com and I have an object ID guid GID whatever you want to call it uh of that value that will come into play later you don't have to memorize it I will show it I will point it out but you'll want to know that for every user particularly those that manage in tune okay when you get in tune and you

start it up there's no pre-existing scripts so the only scripts that will exist are the ones that you have there so if you don't have any and all of a sudden you have one probably an attacker or maybe someone went rogue but you shouldn't have any if you don't have InTune so the first thing that I had done was I created two scripts I wanted to have a test bed script one created a desk a folder named test on the desktop of user a user one whatever the second script did the same thing but for user B that was it simply create directory this user's desktop done um in InTune that's the right side of the screen some of it's cut off

slides will be there later um on the right side of the screen um you get information that is useful um these properties like the name of the InTune script and that's not the underlying Powershell script it's just the InTune script you get the credentials if it's running as user or running as system you get the underlying Powershell script name and if it was included or excluded group so who's receiving or who isn't receiving this policy this script the other thing you want to know is the script ID there's two ways to get this Microsoft graph API or in the URL and I've highlighted that here that is also important so you'll want to grab that

okay if you're using the graph API the you have to first get a bearer token or authentication token so if you hit a post to that uh that uh API endpoint um and you provide it three specific values your um Azure tenant ID which is going to go in the URL and then the application that is going to be hitting the graph API it needs a client ID which is the application ID I don't know why and this it's called client um or and the client secret then you have successfully authenticated to the tenant with that application to then get a bearer token to use that application to hit the graph API to do your calls

so where do you get your Azure tenant ID in the home of azure you'll have your tenant ID in the overview pane that is your tenant ID I've redacted it this lab doesn't exist anymore so even if uh you were able to get this this lab is dead uh but that's the tened ID then you have to have an application you have to register that application and once you do that you will have an application ID that is the object ID in the API call and then you have to have a client secret um which is passed along so you can see here that I did create that it is a little redacted of course um but

that is your Azure registration application client secret which is then used for the authentication request so once you have all that and you make that post request you get your Bearer token obviously redactive for security purposes doesn't exist anymore um I think it lives for like two days maybe 24 hours um okay so now you have a token now you can authenticate as that application to make calls to the graph API to pull information this is the only way you can get specific information about any InTune script uh and underlying Powershell script information so what I mean by that is yes in the user interface you will see the properties that I showed before but what

you cannot see is the contents of the Powershell script to get the contents of the Powershell script you have to do these next two steps using the graph API so this first here is a get to one of their beta API endpoints device management device management scripts with your Bearer token don't worry about seeing that I'll blow it up here a little bit but probably still can't see it but what you're getting is description uh created time last modification time uh the Powershell script name um and uh the scope right and the a bunch of information that you really want to know to track something down right so how does that tie back to into well as I mentioned they do right

so you have an ID the script ID you have a display name the property name you have the underlying pow shell script it all matches Microsoft being Microsoft the API in UTC Azure is in EST or browser time so that happens um all right now that we understand what our InTune environment looks like from a baseline perspective I want to understand what the contents of the Powershell scripts look like as well well to the same API endpoint then tacking on that script ID value you can get the contents of that script the catcher is it's Bas 64 encoded the lovely part about that is really easy to decode so here I'm showing the display name of the property the script content

and you can see it's Bas 64 encoded again I have creation time all the lovely time stamps that we love um and using cyberchef from Bas ht4 give me the value and as I mentioned very benign script new item uh yeah new item path someone's desktop uh name test it's a directory super simple very benign very easy to understand so what does that look like on the endpoint exactly that it is a directory name test on the user's uh desktop so and I'm sewing that here for both we have it in the in the Windows Explorer and then we have it in the the UI uh Explorer itself um and then below preview of some things to come there are

some logs that Microsoft gives us in plain text that tracks this information which is so lovely and in that we not only have that the push of the policy from in tune to the endpoint completed we get date and timestamps and in this case we actually get the returned information to standard out in clear text in the log as well so let's dive into why I'm really here my passion the forensic analysis so let me just recap again real quick in order to find evil you have to know normal we had to Baseline our environment I had no scripts there previously I created two scripts to kind of ulate an environment that doesn't have nothing they do absolutely nothing

except create a directory on the user's desktop so what happens if an attacker were to modify a script well if a script is modified the last modification date will be updated to the time that the modification occurred um but the script ID stays the same I thought that was a little interesting but I understand why it stays the same but I was kind of wondering like oh if it if I update the script in the script ID is different it should change well really what you're modifying is the underlying Powershell if you modify the properties of the script it still doesn't change the script ID um but you can see here that the script was modified it was created

on the 9th of February it was modified on the 11th so two days had passed in my environment hacker came in modified the script all right well let's go back through the API and let's pull this information I want the properties of the script I want the content what did the attacker change so you can see here the original script the script content is one line maybe 60 characters or so big 64 the modified script is a lot bigger so now the script should be doing more there's more characters here it's a bigger script well that's strange it got modified again Bas 64 very easy to decode drop it in cybera from B 4 recipe

boom can anyone see what's happening here for those in the back that can't the attacker uh in this case me um is setting a URL variable to download n.com then setting an output file equal to the path I want it saved at a.exe very common for attackers to name their binaries very very small um and in this case probably want to off escate that it's an rmm Tool uh Remote Management and uh monor tool in this case any desk and then I am running that process uh and installing any desk on the computer all remotely from InTune with the Powershell script and as you would have expected just like the other Powershell script that ran to create the test

directory magic it worked any desk is now running on the system and uh that means that it all pushed down now the snippet below here is from a second log source and this one records the content of the Powershell script in cler text um what you also see here that I've highlighted nicely for everyone is this thing known as the InTune policy hash that may not be the official name is kind of what I've dubbed it but it's the policy hash that'll come into play in a little bit so with forensic evidence if we think about this from a dfir perspective attacker got into the cloud they did some Shenanigans in the cloud they pivoted to on Prem through

the use of the cloud because the on-prem system was hybrid joined to the cloud managed by InTune and then they did something on on Prem on the endpoint they created a file they executed a binary and they made web requests well that actually gives us a lot to think about and a lot of forensic evidence to look for one of the first places that I'm going to look is the journal just what I like to do probably not the best thing to look at first but in this talk we're going to look at it first and I'll tell you why so the journal the reason why I'm showing the journal first is when a um push from

InTune down to the endpoint that policy occurs and then a script runs there are four files um that get created but then very quickly deleted and the journal is the only thing that catches it and this is all related to and normal Microsoft InTune management Behavior so these four files are up here um you're not going to read the names uh real quick but program files x86 Microsoft andun blah blah blah blah blah Powershell or so it's. PS1 timeout error and output those are the four files PS1 timeout error output they get created and deleted they get created and deleted in less than 2 and 1/2 seconds or 3 seconds but knowing that they exist

tells you that a POS a push down from InTune occurred so if you didn't have InTune to look at you have an idea of a time frame of when the script at least was pushed to the endpoint and then your other forensic artifacts will give you and fill in the blanks some of the other times in this case the mft the mft unlike the journal won't show you the file creation or deletion of these four files but what it will tell you is file size of the files that the result of the script in this case A.E we know that any desk was ran it got downloaded it got created and it got installed so we have the result of a.

being created and then we have the result of any desk being installed in its default files being created on the system we also have file size so one thing we can do with that um you can download any desk yourself and compare file sizes is this legitimately nesk or is it some modified version or um did they compromise any des's CDN and maybe host their own malware you know supply chain attack right okay that's file creation events um there were other things right like Powershell well Powershell gets logged in the windows event logs um in two places there are two Powershell logs that are of use um me being very quick to want to want to recreate this and

actually sit down and plan this very well I didn't turn on logging like like verbos logging for Powershell so I don't have 4104 of n IDs in the main P I know I'm sad too um someone else can pick this up and do it but um I know maybe one person um but what you do get is execution time evidence of execution time in the event logs with the 600 and 400 you kind of know when it started when it ended they're not exact time stamps they're approximate time stamps but um you know that Powell ran this is a way to tell you and you know it's specifically in tune because Powershell is running and of course Microsoft

execution policy bypass um and this is allowed because it's coming from InTune so it's trusted um program files Ed that says Microsoft InTune management so this is definitely coming from InTune all right so we know that that ran all right what else did we talk about we talked about this InTune policy hash that we found in the log well where the heck do you find that how about another great Microsoft artifact the registry the registry will actually record this in the software local machine software Microsoft inter management extension policies and then I've highlighted two boxes here one in red and one in black do any of these things look familiar to anybody what are they it's the user ID first and then the

script ID second so if you have two scripts would you expect two registry entries yeah you would right huh no no no no no no no my friend Jessica we will show the second one um no no no no we will show the second one so yeah the the big Point here is the value registry value name actually is policy hash um but you also get some some of the other information you got from InTune properties right run as account Target type last updated and then the other thing you'll notice is there's some clear text embedded m going on again that looks like the returned to standard output information we got so two artifact sources telling you the

same thing bar Barts like a cat B I'm sorry what kind of cats you got I don't got cats uh Barts like a dog why do it tail like a dog it looks like a dog it's probably a dog here's two things telling you the same thing uh we can cut that part out [Laughter] right hey we're not perfect all right um all right so here uh we're looking at a modified in tune script so um what we're seeing here is now that kind of clear text standard output doesn't get returned but that makes sense if you think about the Powell script that ran the second time there was no standard output to return it was a couple of

variables and then download that file and run it it's going to close the command prompt once that's done there's no standard output return so you don't get that down here but everything else kind of stays the same last updated policy hash Target type run as account in this case this is a different script this is a different script um than the original one right so the other one was f5a this one is AB8 all right so we're we're almost through the forensics part for anyone who might be falling asleep um okay but we talked about now mft Journal Powershell event log registry what's left how about the InTune logs themselves the InTune logs themselves well we have three places to look at for

InTune logs and here you are clear paths right program files I6 Microsoft InTune management extension policy scripts and then the other one is policy results so the scripts folder contains the Powershell script file one of the four files created that you saw in the journal but it gets quickly deleted that's where it gets stored so it'll run from there the other three files get stored in the results and they also get quickly deleted so those two paths won't really tell you anything but those are where the files are created so they're of use the last place and everything good happens in program data but the path changes because Microsoft program data Microsoft now it's slash into

management extension one word no spaces what happens logs we love logs we want to look at logs we love logs we have a song about logs we love logs in this case you get two logs you get agent executor and you get InTune management extension so agent executor to me sounds like the InTune agent executing the policy from InTune and InTune management extension sounds like to me here's the details about the execution I don't know that for sure I'm just going by name and that to me makes sense and then I put here that it's unclear what whether what log file kind of Records what I've done more testing since I had written this presentation

originally and I wanted to keep it because I'm not 100% certain but to me as I mentioned earlier agent executor seems to record the standard out if there is any if there isn't the whole content of the script gets put into InTune management extension. log so I haven't done a whole lot of testing with it again I kind of just built this lab environment to recreate the attack that I thought was really interesting cuz I'm always interested by you got in the cloud first and then you got to on Prem but how well now that we know how I wanted to recreate it and um I haven't gone so if anyone wants to go a step

further please by all means help the community um so let's look at these logs am I doing on time okay um how we uh let's look at these logs so agent executed. log this is a snippet this isn't the full log this is a snippet of the log file and what we can see here again is the command line um of the actual Powershell script running the Powershell script right in Tunes Powershell script running it so we have the Powershell is running with no profile uh execution policy bypass the file itself and then it's referring to the user ID GD the script ID GD PS1 um and then we get the output right but we also get time so this is a very

verbose log there's a lot of information in here a lot of time stamps um and a lot of information to dig into to I haven't come across like a parser for these um I wish I was a programmer and a coder to do that if anyone wants to please go ahead they're just log files like they're not crazy crazy um but I'm that's not my skill set I'm sorry I wish but please um then InTune management extension you kind of get the same information here but in this one you'll see the four files that we saw in the journal are recorded here um and then we also get the fact that besides there's time stamps we also get that the user

profile was loaded it gives you a username you get uh the environment block was created it launched Powershell um and then uh down below you get a snippet uh of some Json um and again Microsoft just loves to change the names of things in different places so policy ID uh is actually the script ID policy hash is the policy hash um but you also get the full embedded in policy body it's the it's the actual decoded contents of the script um that's not B 64 encoded because it ran on the system and Microsoft has to do that to run it um thanks for that Microsoft that was a good thing um okay that's the end point those are the

forensic artifacts that I found interesting and useful to the investigation they're may be more um certainly user assist but mostly that's just going to tell you what you already know Powershell ran and it ran by a user and it ran at this time so absolutely I'm not saying ignore it I'm just saying for the sake of this I was kind of trying to point out the artifacts that will at least point you to the whole embodiment of something from InTune ran and then potentially what it was and how you get it in two places endpoint and Cloud so leveraging all available Telemetry let's go back to the cloud there's some interesting things to know there Azure logging so as I mentioned

earlier the graph API had to be a registered application in Microsoft that means service principle there are service principle signin logs now that may not be useful because an attacker may not actually be logging in as an application or doing a function as an application and they didn't in this case but I included this anyway because here I was using my app to run the graph API and I saw these signin and I thought it was interesting because I'm going back and you know hey I'm testing I'm running something what does that look like um but I know attackers register applications especially in the becc side of things and they perform actions as that service principal or that

application so you should be checking for these things again may not be applicable to this investigation particularly or specifically but still of interest again no normal find evil so here um the Azure detailed signin you can see I'm highlighting the things that uh map back to one another so service principal ID in this case is the actual object ID of the Enterprise application because again Microsoft can't keep them consistent between two things um the credential key ID is the secret ID from the registered application the resource service principal ID is graph API and they're color coded so how does that compare to if you actually pull that down um like Json from the API well you get all the same

information just in Json form and uh I was kind enough to kind of map those back to one another so the color coding of red matches to the red on the side purple blue uh all of those fun little colors map back to one another so whether you pull it from the Azure UI uh in the audit log or signning logs or you pull it from the graph API you'll get the same information time stamps beware okay so you know what happened when I said what happens when you modify a script so if user a modifies a script by user a probably doesn't change much but the time stamp but what happens if user B modifies a script by user a

nothing it doesn't doesn't doesn't actually change anything the modification time will change um but one interesting note is um and we'll get to it but basically I did this I had I set up another user I modified a script that my original user had created the modification time did change um but the graph API didn't really note anything different again the script ID didn't change the modification time did but it didn't tell me who did the change and also the object ID didn't change so that tells me that when you set up a InTune policy property script whatever you want to call it they're they use script twice and it it just annoys me a little bit but when you set

up an InTune policy to do a thing and that's done by user a it's tied to user A's identity even if user B were to modify it it's still tied to user a which gives us some interesting things forensically so here's script Modified by user B we we can see that the script ID doesn't change the display name didn't change the contents did change cuz user B now modified this script so the modification changed but nothing else really changed right there still the same properties of run as the account um in this case the file name of the Powershell script change so it's noted here but didn't really change anything else and again we can base 64

it so all I'm doing is in in tune getting the child getting properties of A.E very simple just what is A.E InTune right different from Azure InTune has an audit log and this was new to me and this was like after I had built this presentation like three months later I was like hold on wait InTune has an audit log I wonder what that has in it so I have the InTune audit log and as I mentioned you will know in InTune in the audit log that a script was modified and who modified the script that InTune audit log actually captured that information um so patch device management script is Microsoft's nomenclature for modification of a

script um the UPN or user principal name is the user who performed the action the object ID is the script ID of the modified script so again if you pull this with the API um the Json code is the same as what's in the UI um just in Json okay well as I mentioned if user a is modifying or sorry user B is modifying a script that user a created and runs that script what does that look like on the endpoint well it doesn't really change anything again the user I ID the user object GD and the script ID are still tied to the original user so you really have to go back to the InTune

audit log to say hey user B modified this then pushed it down even though on the endpoint it's going to look like user a ran it and one of the biggest problems s we have in forensics and those with experience know is tying someone behind the keyboard to an action and in this case if you took it at face value you would think that user a did this action but that's not necessarily true and we know that maybe user B didn't really do the action but the person controlling the identity of user B perform the action um so that's really important and that again goes back to leveraging all Telemetry you can't just rely on one thing to tell you it

happened you need multiple sources and that's how you get to a fact right or close to it in our world the scientific method would come into play so hey I see this is running as user a with or user A's ID and it's this script but what is that script and who modified it if anything go back to InTune you can't find that on the end point okay as I promised what tools did I use to get to the information and forensic artifacts and the analysis and the conclusions that I reach in this case um I used uh kpmg's proprietary forensic triage tool known as kdr KPMG digital responder um that was the screenshots from like the

journal and the mft those were from some of our automated reports um the local copy of cyberchef at the time was 1052 I want to say they're around like 109 or something now um this was definitely an older copy I used uh Zimmerman's registry Explorer for those that are familiar with it um I don't think he's updated that version I think it's always been 160 um and then new to me as I mentioned I'm not a great programmer or coder but new to me um is kind of Powershell coding um and on the screen here you'll know that um I have my GitHub here Shameless little personal plug um on that GitHub link I uploaded a tool last night

publicly it was private for a while but it's now public uh thank you um yeah I'll get there I'm just spitting through the words um that Powershell script is to help you pull the information from into an audit so it's an automated Powershell script to download the InTune audit log in the Json format that you're seeing so all that Json code you were seeing earlier is from myscript um is it the best definitely not will it get you information yeah um that's all you need yeah exactly uh and then and as far as the resources um that I had used to uh to to make this presentation obviously Azure portal I had to set up a tenant I had to add some

users I had to enable InTune and all the licenses that come with that uh obviously used InTune and then I use the graph API and because I believe in giving back to the community one of the reasons why we do these presentations and we we open source things um is I had done a lot of research to try to figure out API calls again not my specialty but something that I dove into because I was really curious so here are the API endpoints and to get you the information that I got to in my presentation maybe there's some more efficiency of querying these endpoints to get that information um but I'm providing them none the less

if you wanted to use the API um and do this programmatically rather than in the UI now the research time obviously I didn't do this alone um it took a team right um I do this whole investigation alone with KPMG we were probably 10 or 15 people on the whole that project at the time all had different roles um if I didn't say it before the the company did end up being ransomed as a result of this initial access through Azure Sim swap uh threw on Prem got an admin account on Prem esxi Ransom all that fun stuff so we had a bunch of people doing a a number of different tasks analysis recovery all of that but what it came

down to was okay first off what is InTune what does it contain secondly what logging exists in InTune if any where do the logs exist in in tune in Azure on a on a machine uh and you know some things about the API itself like how do I query this in the API um and if I go back here like this uh middle query here for the the beta audit log with the service principal in the percent sign 27 I definitely didn't know that or come up with that I found that on stack overflow so thank you to the person who posted that there and I definitely gave them credit their number six um but all of

these articles blogs researchers Etc kind of paved the way and set the groundwork for where I ended up going thank you to scattered spider for doing this to allow me to to do this to recreate this attack um you seem mad that I thanked them but but they allowed this so I have to say you know a little hey juicy little nugget here and there that I hadn't seen before from them because they evolve all the time um but nonetheless um so that was the research that pav the groundwork for where I went with it I hope someone else picks this up I think there's definitely things to talk about extra like what does the EDR

catch with this what does logging to Sentinel or any other SIM understand and and how is that parse because there are InTune integrators to Microsoft Sentinel um their Sim but what what does that Telemetry look like and are you able to build detections further in the Sim and/ or EDR if this were to happen would it detect a modification can you detect a modification um maybe malicious maybe not but are you alerting on that are you even aware that scripts are being modified all the time and into it I'm sure they may be especially if you're pushing you know packages or or applications out that have different versions but are you checking that that's done by a person who should be

doing that and that the content of that Powershell script uh is accurate and it's meant to do what it wants to do and not something like downloading a different Ed are so tell me what you tell me or tell me what you're going to tell me then tell me right now tell me what you told me so I provided a brief background on the incident that inspired this talk right I uh detailed how to Baseline it into an environment um using in different information including the graph API how to decode B 64 P or B B 64 period encoded Powershell strips what that looks like um we analyzed uh Windows endpoint in this case Windows 10

endpoint we looked at the journal we looked at the mft Powershell event logs we looked at the registry we looked at InTune application or InTune logs themselves I provided the tools that I had uh used for this and I provided the research that I had used um to assist with this presentation um so I think I hit all the objectives that I said I was going to hit if I didn't please let me know um and looks like we're good on time so I will skip the question part in second just to hit the thank yous uh to everyone U that helped me with this so KPMG obviously for allowing me to do this and and having the investigation

themselves my wife and family uh all my friends and mentors uh and you all for sitting here uh and listening to me speak um and just a little bit about who I am some of my contact information and the company because they did allow me to come here uh and allowed this presentation that's why it's branded question time I will pass the mic because I have this one so any question questions thank you yes sir if if all I have is a good computer and a very small budget is there any chance I can recreate this lab you I did this for free really okay I was expecting licenses costs no the you get a trial for 30 days okay uh for for

Azure you have to put a credit card in so so there's that I think I got to that point in the past and then did you get like $200 in credits but I didn't have a VM in Azure I use my own VM on VMware um and I like I said I use the trial license for Azure ad and I use the trial license um for InTune it cost me nothing after 28 days I literally destroyed everything canceled the subscription removed my credit card information cost me nothing so you can absolutely do this and one of the reasons why I did it was because I could do it for free I would have spent money

but I did it for free are your slides a somewhere they will be on my GitHub after I redact all the screenshots and embed them as pictures so people can't redownload them and then change the redactions even though everything doesn't exist so all the gids and all that don't matter but just for safety sake if I'm going to preach it I'm going to practice it so yes they will be on my get up someone have a question sure over here next to the gentlem yeah uh so if I were to attempt to recover any of those deleted files from the InTune script um one do you know if through in tune if they come with a mark

of the web uh alternate data stream and two if anything useful would be in that URI like any uh uids or any of that information when you say the files are you referring to those four PS1 time timeout error and output I honestly don't think they're going to be a value to be honest with you the the they sound more like debugging right so the the PS1 file is probably going to be the contents that you can get from the graph API anyway cuz it's running on the endpoint it has to know what to run so it's it's just pushing it down to the endpoint and running it and the error timeout output to me sound like

debugging value so like if it if it ered out I would kind of expect the script to that file to stay but because there was no error there's no necessary output I'm not asking it to necessarily perform an action and there's no timeout because it ran and ran successfully and there was no error it ran successfully so could you grab those files yeah probably if you were quick enough but I mean it runs fairly quickly in like 3 seconds so you have that much time U maybe if you snapshot of the VM but you got to be quick um as far as like Network traffic to to your endpoint from Azure it's probably all coming from Microsoft

Services you're you're not going to get anything unique there um and your user ID is tied in the file name right and then you know that from the journal so you know the user the user the user that was controlled to run it or who created the script and then you know the script itself so again you can pull all that from the graph API all right thank you yes sir any other questions there's definitely no dumb questions by the way this is more of a comment because we love logs um do there is a there is a log Source in Microsoft tenants called graph activity where you can pull down all of the graph API calls

um it's a real pain in the but to get to don't you can't just like access it through an API call but you are able to see like failures and reads and stuff that you wouldn't normally get in the InTune logs um or in the entra signin activity uh unified audit logs out of 365 so if you're looking to Baseline your tenant and know what normal is that's like a super super super valuable resource for normal like graph API calls yeah yeah that makes sense are interacting with each other who's using the graphics absolutely yeah yeah yeah yeah you definitely would want to know that absolutely I can see that being a valuable uh value anything else any

other questions come on don't be shy I obviously love to talk gentleman in the back these three now these four now if the the organization that uh was compromised here they were using crowd strike so were they just not monitoring the when the agent faulted the agent didn't fault so but it got replac right no it didn't the attacker downloaded a separate EDR solution it didn't it didn't replace the EDR it didn't knock it off it just downloaded a separate EDR um and then the attackers used that EDR as a back door to bring in more back doors um which then gave them a larger foothold and uh and whatnot but Crouch strike definitely did not get

knocked off didn't get bypassed it never would have detected that it's a normal application and it came from Microsoft right I mean the InTune strip pulled down and then down another application there's no way for it to detect that just as a comment on this attacker too they live off the land so they're CIS admins essentially they're they're not really using malware so using an EDR as malware is part for the course yeah and that was compromised from another client right so client a was the one we responded to client B somewhere in the stratosphere compromised they used their EDR agent to push into client client a in their environment and then leverage that client to remote shell in and bring

their Tools in and then once they had their back door they didn't need them anymore they were good any other questions nothing's off limits you want to ask me about glamping I'll gladly tell you I love clamping obviously I do too I'm boasting about it when are you getting AET never never we heard the Freudian slip on the cats first dogs I don't even know where that came from because I've watched this one with the memes of the