Created
January 7, 2025 20:38
-
-
Save CloudProtectNinja/301dca3419231accafdf9cd480af4057 to your computer and use it in GitHub Desktop.
Use Defender XDR advanced hunting query capabilities to detect possible device compliance bypass attacks for Entra ID Conditional Access according to the vulnerability disclosed by Yuya Chudo (https://www.blackhat.com/eu-24/briefings/schedule/#unveiling-the-power-of-intune-leveraging-intune-for-breaking-into-your-cloud-and-on-premise-42176)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AADSignInEventsBeta | |
| where | |
// Sign-in is successful | |
ErrorCode == 0 | |
// Sign-in comes from an unidentified device | |
and isempty(AadDeviceId) | |
// Sign-in is intiated by the Intune Company Portal client id | |
and ApplicationId == "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" | |
// Sign-in is targeted to Windows Azure Active Directory for the AAD graph downgrade attack according to Yuya Chudo | |
and ResourceId == "00000002-0000-0000-c000-000000000000" | |
| mv-apply todynamic(ConditionalAccessPolicies) on ( | |
// Sign-in does not satisfy a Conditional Access policy, which requires the device to be marked as compliant | |
// (but the sign-in is still successful in the end due to the vulnerability...) | |
where ConditionalAccessPolicies.result == "failure" | |
and ConditionalAccessPolicies.enforcedGrantControls has "RequireCompliantDevice" | |
) | |
| sort by Timestamp desc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment