AZT303 - Managed Device Scripting

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

Resource

Azure Active Directory Intune

Actions

• microsoft.directory/devices/basic/update

Examples

Microsoft Azure Graph APIAzure Portal

POST https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Intune			IntuneAuditLogs
Intune			IntuneAuditLogs
Intune			IntuneAuditLogs

Additional Resources

• https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension
• https://docs.microsoft.com/en-us/graph/api/resources/intune-graph-overview?view=graph-rest-beta