AZT303 - Managed Device Scripting#
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
Resource
Azure Active Directory Intune
Actions
- microsoft.directory/devices/basic/update
Detections
Logs#
Data Source | Operation Name | Action | Log Location |
---|---|---|---|
InTune | Write Run.csx | Microsoft.Web/sites/hostruntime/vfs/run.csx/write | Tenant Admin Audit Logs |
InTune | Update Web Apps Functions | Microsoft.Web/sites/functions/write | Tenant Admin Audit Logs |
InTune | Update website | Microsoft.Web/sites/write | Tenant Admin Audit Logs |