Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save CloudProtectNinja/301dca3419231accafdf9cd480af4057 to your computer and use it in GitHub Desktop.
Save CloudProtectNinja/301dca3419231accafdf9cd480af4057 to your computer and use it in GitHub Desktop.
Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (https://www.blackhat.com/eu-24/briefings/schedule/#unveiling-the-power-of-intune-leveraging-intune-for-breaking-into-your-cloud-and-on-premise-42176)
AADSignInEventsBeta
| where
// Sign-in is successful
ErrorCode == 0
// Sign-in comes from an unidentified device
and isempty(AadDeviceId)
// Sign-in is intiated by the Intune Company Portal client id
and ApplicationId == "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223"
// Sign-in is targeted to Windows Azure Active Directory for the AAD graph downgrade attack according to Yuya Chudo
and ResourceId == "00000002-0000-0000-c000-000000000000"
| mv-apply todynamic(ConditionalAccessPolicies) on (
// Sign-in does not satisfy a Conditional Access policy, which requires the device to be marked as compliant
// (but the sign-in is still successful in the end due to the vulnerability...)
where ConditionalAccessPolicies.result == "failure"
and ConditionalAccessPolicies.enforcedGrantControls has "RequireCompliantDevice"
)
| sort by Timestamp desc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment