Skip to content

AZT303 - Managed Device Scripting#

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

Resource

Azure Active Directory Intune

Actions

  • microsoft.directory/devices/basic/update

Examples

POST https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts

intune

Detections

Logs#

Data Source Operation Name Action Log Location
InTune Write Run.csx Microsoft.Web/sites/hostruntime/vfs/run.csx/write Tenant Admin Audit Logs
InTune Update Web Apps Functions Microsoft.Web/sites/functions/write Tenant Admin Audit Logs
InTune Update website Microsoft.Web/sites/write Tenant Admin Audit Logs

Additional Resources