EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Microsoft Intune Device Health Scripts

Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices. This detection identifies when a new device health script has been added, updated or deleted.

Detection Query

`azure_monitor_activity` operationName="*DeviceHealthScript*" | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin | rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId | `microsoft_intune_device_health_scripts_filter`

Author

Dean Luxton

Data Sources

Azure Monitor Activity

References

Raw Content
name: Microsoft Intune Device Health Scripts
id: 6fe42e07-15b1-4caa-b547-7885666cb1bd
version: 4
creation_date: '2025-01-06'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: Hunting
description: >-
    Microsoft Intune device remediation scripts are a tool administrators can use to remotely manage devices, this functionality can also be abused for SYSTEM level code execution and lateral movement to intune managed devices.
    This detection identifies when a new device health script has been added, updated or deleted.
data_source:
    - Azure Monitor Activity
search: >-
    `azure_monitor_activity` operationName="*DeviceHealthScript*"
    | rename identity as user, properties.TargetObjectIds{} as TargetObjectId, properties.TargetDisplayNames{} as TargetDisplayName, properties.Actor.IsDelegatedAdmin as user_isDelegatedAdmin
    | rex field="operationName" "^(?P<action>\w+?)DeviceHealthScript" | replace "patch" with "updated", "create" with "created", "delete", with "deleted", "assign", with "assigned" IN action
    | table _time operationName action user user_type user_isDelegatedAdmin TargetDisplayName TargetObjectId status tenantId correlationId
    | `microsoft_intune_device_health_scripts_filter`
how_to_implement: >-
    The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub.
    To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
    Deploy as a risk based alerting rule for quick deployment or perform baselining & tune accordingly.
known_false_positives: Legitimate adminstrative usage of this functionality will trigger this detection.
references:
    - https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d
    - https://securityintelligence.com/x-force/detecting-intune-lateral-movement/
    - https://posts.specterops.io/maestro-9ed71d38d546
analytic_story:
    - Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
    - T1072
    - T1021.007
    - T1202
    - T1105
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: audit
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
          sourcetype: azure:monitor:activity
          source: Azure AD
      test_type: unit