Security Boulevard

The post Stop Supply Chain Invaders appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Stop Supply Chain Invaders appeared first on Security Boulevard.

What’s New in CJIS 5.9.5 as it Relates to Firmware Security? n the latest CJIS Security Policy, the FBI is now requiring that IT firmware be verified for integrity and monitored for unauthorized changes. Failure to comply with it can lead to denial of access to information in the CJIS system, as well as monetary […]

The post Getting the Gist of CJIS - 5.9.5 appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Getting the Gist of CJIS – 5.9.5 appeared first on Security Boulevard.

Supply chain security for servers, PCs, laptops, and devices has correctly focused on protecting these systems from vulnerabilities introduced through third-party suppliers. The applicable supply chains range from design and manufacturing to distribution and integration. Each stage presents potential risks, as malicious actors could introduce compromised components, counterfeit products, or software backdoors that could be […]

The post Why Supply Chain Security Demands Focus on Hardware appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

The post Why Supply Chain Security Demands Focus on Hardware appeared first on Security Boulevard.

We are thrilled to share that we have migrated Tidal Cyber’s Community & Enterprise platforms to v16 of MITRE ATT&CK® the day following the new version’s release! Users of ATT&CK know the anxiety that accompanies the release of numerous new Techniques, threats, and defensive content, and many updates & changes to existing content. Tidal Cyber takes many steps to insulate our users from that anxiety and support fast and worry-free migrations with each new ATT&CK release.

The post ATT&CK v16: Worry-Free Updates in Tidal Cyber appeared first on Security Boulevard.

Microsoft is again delaying the release of its controversial Recall feature for new Windows Copilot+ PCs until December to get new security capabilities in place and hopefully avoid the industry backlash it faced when first introducing the tool in May.

The post Microsoft’s Controversial Recall Feature Release Delayed Again appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Wells’ appeared first on Security Boulevard.

Plus brillants exploits: Canadian Centre for Cyber Security fingers Chinese state sponsored hackers.

The post Ô! China Hacks Canada too, Says CCCS appeared first on Security Boulevard.

Authors/Presenters:niks, Charles Waterhouse

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Hacking Corporate Banking for Fun and Profit appeared first on Security Boulevard.

Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.

Dive into six things that are top of mind for the week ending Nov. 1.

1 - Securing OT/ICS in critical infrastructure with zero trust

As their operational technology (OT) computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.

That’s the key message of the Cloud Security Alliance’s “Zero Trust Guidance for Critical Infrastructure,” which focuses on applying zero trust methods to OT and industrial control system (ICS) systems.

While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper, which was published this week.

The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.

 

 

Among the topics covered are:

• Critical infrastructure’s unique threat vectors
• The convergence of IT/OT with digital transformation
• Architecture and technology differences between OT and IT

The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:

• Define the surface to be protected
• Map operational flows
• Build a zero trust architecture
• Draft a zero trust policy
• Monitor and maintain the environment

A zero trust strategy boosts the security of critical OT/ICS systems by helping teams “keep pace with rapid technological advancements and the evolving threat landscape,” Jennifer Minella, the paper’s lead author, said in a statement.

To get more details, read:

• The report’s announcement “New Paper from Cloud Security Alliance Examines Considerations and Application of Zero Trust Principles for Critical Infrastructure”
• The full report “Zero Trust Guidance for Critical Infrastructure”
• A complementary slide presentation

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Tenable Cloud Risk Report 2024” (white paper)

2 - Five Eyes publish cyber guidance for tech startups

Startup tech companies can be attractive targets for hackers, especially if they have weak cybersecurity and valuable intellectual property (IP).

To help startups prevent cyberattacks, the Five Eyes countries this week published cybersecurity guides tailored for these companies and their investors.

“This guidance is designed to help tech startups protect their innovation, reputation, and growth, while also helping tech investors fortify their portfolio companies against security risks," Mike Casey, U.S. National Counterintelligence and Security Center Director, said in a statement.

These are the top five cybersecurity recommendations from Australia, Canada, New Zealand, the U.S. and the U.K. for tech startups:

• Be aware of threat vectors, including malicious insiders, insecure IT and supply chain risk.
• Identify your most critical assets and conduct a risk assessment to pinpoint vulnerabilities.
• Build security into your products by managing intellectual assets and IP; monitoring who has access to sensitive information; and ensuring this information’s protection.
• Conduct due diligence when choosing partners and make sure they’re equipped to protect the data you share with them.
• Before you expand abroad, prepare and become informed about these new markets by, for example, understanding local laws in areas such as IP protection and data protection.

 

 

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” Ken McCallum, Director General of the U.K.’s MI5, said in a statement.

To get more details, check out these Five Eyes’ cybersecurity resources for tech startups:

• The announcement “Five Eyes Launch Shared Security Advice Campaign for Tech Startups”
• The main guides: 
  • “Secure Innovation: Security Advice for Emerging Technology Companies”
  • “Secure Innovation: Security Advice for Emerging Technology Investors”
• These complementary documents:
  • “Secure Innovation: Scenarios and Mitigations”
  • “Secure Innovation: Travel Security Guidance”
  • “Secure Innovation: Due Diligence Guidance”
  • “Secure Innovation: Companies Summary”

3 - Survey: Unapproved AI use impacting data governance

Employees’ use of unauthorized AI tools is creating compliance issues in a majority of organizations. Specifically, it makes it harder to control data governance and compliance, according to almost 60% of organizations surveyed by market researcher Vanson Bourne.

“Amid all the investment and adoption enthusiasm, many organisations are struggling for control and visibility over its use,” reads the firm’s “AI Barometer: October 2024” publication. Vanson Bourne polls 100 IT and business executives each month about their AI investment plans.

To what extent do you think the unsanctioned use of AI tools is impacting your organisation's ability to maintain control over data governance and compliance?

(Source: Vanson Bourne’s “AI Barometer: October 2024”)

Close to half of organizations surveyed (44%) believe that at least 10% of their employees are using unapproved AI tools.

On a related front, organizations are also grappling with the issue of software vendors that unilaterally and silently add AI features to their products, especially to their SaaS applications.

While surveyed organizations say they’re reaping advantages from their AI usage, “such benefits are dependent on IT teams having the tools to address the control and visibility challenges they face,” the publication reads.

For more information about the use of unapproved AI tools, an issue also known as “shadow AI,” check out:

• “Do You Think You Have No AI Exposures? Think Again” (Tenable)
• “Shadow AI poses new generation of threats to enterprise IT” (TechTarget)
• “10 ways to prevent shadow AI disaster” (CIO)
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (Tenable)
• “Shadow AI in the ‘dark corners’ of work is becoming a big problem for companies” (CNBC)

VIDEO

Shadow AI Risks in Your Company

 

4 - NCSC explains nuances of multi-factor authentication

Multi-factor authentication (MFA) comes in a variety of flavors, and understanding the differences is critical for choosing the right option for each use case in your organization.

To help cybersecurity teams better understand the different MFA types and their pluses and minuses, the U.K. National Cyber Security Centre (NCSC) has updated its MFA guidance.

“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA,” reads an NCSC blog.

 

 

In other words, what type of MFA method to use depends on people’s roles, how they work, the devices they use, the applications or services they’re accessing and so on.

Topics covered include:

• Recommended types of MFA, such as FIDO2 credentials, app-based and hardware-based code generators and message-based methods
• The importance of using strong MFA to secure users’ access to sensitive data
• The role of trusted devices in boosting and simplifying MFA
• Bad practices that weaken MFA’s effectiveness, such as:
  • Retaining weaker, password-only authentication protocols for legacy services
  • Excluding certain accounts from MFA requirements because their users, usually high-ranking officials, find MFA inconvenient

To get more details, read:

• The NCSC blog “Not all types of MFA are created equal”
• The NCSC guide “Multi-factor authentication for your corporate online services”

For more information about MFA:

• “Multifactor Authentication Cheat Sheet” (OWASP)
• “Deploying Multi Factor Authentication – The What, How, and Why” (SANS Institute)
• “How MFA gets hacked — and strategies to prevent it” (CSO)
• “How Multifactor Authentication Supports Growth for Businesses Focused on Zero Trust” (BizTech)
• “What is multi-factor authentication?” (TechTarget)

5 - U.S. gov’t outlines AI strategy, ties it to national security 

The White House has laid out its expectations for how the federal government ought to promote the development of AI in order to safeguard U.S. national security.

In the country’s first-ever National Security Memorandum (NSM) on AI, the Biden administration said the federal government must accomplish the following:

• Ensure the U.S. is the leader in the development of safe, secure and trustworthy AI
• Leverage advanced AI technologies to boost national security
• Advance global AI consensus and governance

“The NSM’s fundamental premise is that advances at the frontier of AI will have significant implications for national security and foreign policy in the near future,” reads a White House statement.

 

 

The NSM’s directives to federal agencies include:

• Help improve the security of chips and support the development of powerful supercomputers to be used by AI systems.
• Help AI developers protect their work against foreign spies by providing them with cybersecurity and counterintelligence information.
• Collaborate with international partners to create a governance framework for using AI in a way that is ethical, responsible and respects human rights. 

The White House also published a complementary document titled “Framework To Advance AI Governance and Risk Management in National Security,” which adds implementation details and guidance for the NSM.

6 - State CISOs on the frontlines of AI security

As the cybersecurity risks and benefits of AI multiply, most U.S. state CISOs find themselves at the center of their governments' efforts to craft AI security strategies and policies.

That’s according to the “2024 Deloitte-NASCIO Cybersecurity Study,” which surveyed CISOs from all 50 states and the District of Columbia.

Specifically, 88% of state CISOs reported being involved in the development of a generative AI strategy, while 96% are involved with creating a generative AI security policy.

However, their involvement in AI cybersecurity matters isn’t necessarily making them optimistic about their states’ ability to fend off AI-boosted attacks.

None said they feel “extremely confident” that their state can prevent AI-boosted attacks, while only 10% reported feeling “very confident.” The majority (43%) said they feel “somewhat confident” while the rest said they are either “not very confident” or “not confident at all.”

 

 

Naturally, most state CISOs see AI-enabled cyberthreats as significant, with 71% categorizing them as either “very high threat” (18%) or “somewhat high threat” (53%).

At the same time, state CISOs see the potential for AI to help their cybersecurity efforts, as 41% are already using generative AI for cybersecurity, and another 43% have plans to do so by mid-2025.

Other findings from the "2024 Deloitte-NASCIO Cybersecurity Study" include:

• 4 in 10 state CISOs feel their budget is insufficient.
• Almost half of respondents rank cybersecurity staffing as one of the top challenges.
• In the past two years, 23 states have hired new CISOs, as the median tenure of a state CISO has dropped to 23 months, down from 30 months in 2022.
• More state CISOs are taking on privacy protection duties — 86% are responsible for privacy protection, up from 60% two years ago.

For more information about CISO trends:

• “What’s important to CISOs in 2024” (PwC)
• “The CISO’s Tightrope: Balancing Security, Business, and Legal Risks in 2024” (The National CIO Review)
• “State of CISO Leadership: 2024” (SC World)
• “4 Trends That Will Define the CISO's Role in 2024” (SANS Institute)

The post Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security appeared first on Security Boulevard.

Insight #1:  You can be sued for your junky software, EU says

The EU recently updated its Product Liability Directive (PDF) to reflect the critical role of software in modern society. This means software vendors are now liable for defects that cause harm, including personal injury, property damage or data loss. This change emphasizes the growing importance of prioritizing safety and security in software development. Companies must proactively review their processes, strengthen security measures and embrace a new era of accountability for the software they create.

 

Insight #2: Most CISOs fear getting axed over data breaches

A recent survey revealed that 77% of CISOs feel significant pressure to prevent data breaches, often to the point of fearing for their jobs. This highlights a critical need to shift the organizational mindset from blame to shared responsibility. Instead of making the CISO the sole scapegoat, companies should foster a culture of collaboration where security is everyone's priority and where CISOs have the support and resources they need to succeed.

  Insight #3: Outdated software is the grim reaper in your security nightmare

Don't let outdated software become a security nightmare. Outdated software is a prime target for attackers. Make it a priority to regularly check for updates and replace any software that's reached its end of life. This simple step can significantly reduce your risk of a security breach.

The post Cybersecurity Insights with Contrast CISO David Lindner | 11/1/24 appeared first on Security Boulevard.

Foreign adversaries proactively interfering in U.S. presidential elections is nothing new.

Related: Targeting falsehoods at US minorities, US veterans

It’s well-documented how Russian intelligence operatives proactively meddled with the U.S. presidential election in 2016 and technologists and regulators have been … (more…)

The post Shared Intel Q&A: Foreign adversaries now using ‘troll factories’ to destroy trust in U.S. elections first appeared on The Last Watchdog.

The post Shared Intel Q&A: Foreign adversaries now using ‘troll factories’ to destroy trust in U.S. elections appeared first on Security Boulevard.

The Cybersecurity and Infrastructure Security Agency (CISA) introduced its inaugural international strategic plan, a roadmap for strengthening global partnerships against cyber threats.

The post CISA Strategic Plan Targets Global Cooperation on Cybersecurity appeared first on Security Boulevard.

What is the SPACE Framework? See how Doppler’s features improve your team’s wellbeing, efficiency, and secrets management posture

The post How Doppler aligns with your SPACE framework appeared first on Security Boulevard.

Maestro: Abusing Intune for Lateral Movement Over C2

If I have a command and control (C2) agent on an Intune admin’s workstation, I should just be able to use their privileges to execute a script or application on an Intune-enrolled device, right?

Not so fast.

I Wanna Go Fast!

• Take me to the GitHub repo!
• Take me to the attack path walkthrough!
• Take me to the defensive guidance!

The Problem

We often find ourselves in the context of a cloud administrator when following attack paths to objectives that require privileged access to Azure-hosted services. We want to use their Entra ID account’s privileges to execute actions in Azure, for example running arbitrary code on remote Intune devices (a.k.a. the “Death from Above” attack path detailed by Andy Robbins), but we have some hurdles to overcome to accomplish this from a C2 agent:

• We don’t have the user’s cleartext password
• Conditional access policies (CAPs) require multi-factor authentication (MFA) for access to the Intune Portal and/or a compliant, hybrid-joined device on a trusted network
• We need to maintain stealth
• We don’t have the knowledge, time, or patience to manipulate tokens and navigate the Azure portal or multiple tools

Let’s look at these problems one at a time and discuss the options available to us.

No Cleartext Credentials / MFA Required

No password? No problem. We already asked the admin nicely for their creds and they didn’t bite, and their password hygiene on the host is solid, but if the device has an identity in Entra ID, we can dump primary refresh token (PRT) cookies from the machine with tools like Lee Chagolla-Christensen’s RequestAADRefreshToken, Dirk-jan Mollema’s ROADToken, Evan McBroom’s LSA Whisperer, Daniel Heinsen’s, SharpGetEntraToken, or aad_prt_bof by wotwot563. These PRT cookies will even have an MFA claim if Windows Hello for Business was used for logon, allowing us to comply with MFA requirements enforced by CAPs or the new default security policy for Azure sign-in.

Stealth

We want to only execute tools that are code-signed and legitimately used in the environment, otherwise keep tool execution within our current process or proxied into the environment from a machine we control that isn’t subject to the organization’s security stack.

We could use our shiny new PRT cookie to interact with Azure using a web browser proxied through the administrator’s workstation, but:

• fumbling through the portal requires prior experience or time to figure out, and features are added, removed, or moved all the time
• information made available by the Azure APIs we’re interested in is not always displayed to the user or is difficult to find
• we have to take frequent screenshots and manual activity logs for deconfliction and reporting instead of letting our C2 framework handle all that, gross
• we may still hit CAPs preventing access without a compliant and/or hybrid-joined device

We could use our C2 agent to run command line tools that are likely to be already installed on cloud administrator workstations (e.g., PowerShell’s Invoke-RestMethod, Microsoft.Graph, AzureAD, or Intune modules, curl.exe, etc.) and interact with Azure APIs, but they don’t directly support BYO PRT cookies, they require multiple steps to obtain refresh and access tokens after dumping a PRT cookie (let alone execute actions with those tokens), and they may generate suspicious parent/child process relationships and command line arguments.

We could dump refresh or access tokens from the memory of applications the cloud admin has used to authenticate to Entra ID (e.g., their browser, the ConfigMgr console in co-management setups, etc.) with tools like the office_tokens BOF from TrustedSec, but we need some luck to obtain creds with the correct client ID, scope, and resource for the actions we want to take or that can be swapped for creds that meet these requirements.

Device Compliance / Hybrid-joined Device

An appropriately scoped refresh or access token would enable us to proxy in excellent open-source tools like ROADTools, AADInternals, BARK, AzureHound, TokenTactics/TokenTacticsV2, or GraphRunner, but we still may be blocked by CAPs requiring device compliance or a hybrid-joined device when exchanging refresh tokens for access tokens or by Continuous Access Evaluation when trying to use stolen access tokens. Further, we need a solid understanding of token manipulation, which at least for me was confusing and not easy to learn without a lot of help, trial and error, and training from Dirk-jan Mollema at Outsider Security.

While it’s possible to fake device compliance with AADInternals thanks to Dr. Nestori Syynimaa (@DrAzureAD) and just a few days ago, Dirk-jan Mollema posted a screenshot of a fake device he created that satisfied ten device compliance requirements, these techniques are not guaranteed to work in all organizations. Device compliance may also be determined and reported to Intune by Microsoft Configuration Manager (formerly SCCM) if the device is co-managed, complicating this attack vector further.

It’s also possible to satisfy conditional access policies requiring a hybrid-joined/registered device by joining a rogue/fake device to Entra ID or by overwriting an existing one, but these techniques require credentials to execute and don’t necessarily allow us to enroll the device in Intune to achieve device compliance.

In any case, CAPs may prevent us from proxying in the tools needed to pull off these attacks or from using them off network, and executing PowerShell directly on the admin’s workstation is risky. I’d rather just use the Intune admin’s compliant hybrid-joined device to reach my objectives.

Using the Azure Portal and Other Tools

Let’s say the problems above are all figured out or we luck out and stumble upon an access token with exactly the attributes we need and there are no CAPs preventing us from using it. We still need to figure out how to use the token to make the appropriate calls to the Microsoft Graph API to execute scripts, applications, and queries on Intune-enrolled devices, which is a complicated, multi-step process.

The Solution

These problems kept resurfacing and none of the available options were ideal for my use case, so I decided to write Maestro to automate them away.

Maestro, an open-source tool sponsored by SpecterOps, was first released at DEF CON 2024 Demo Labs. You can find the code here. If compiling from source, make sure you use the Release build (or the copy on GitHub, if you trust me 😉) so that all of Maestro’s dependencies are merged into the standalone executable with dnMerge by Ceri Coburn (@_ethicalchaos_).

Maestro is essentially a wrapper for local PRT cookie requests and calls to the Microsoft Graph API with a lot of quality-of-life features added for red teamers. It allows you to execute apps, scripts, and device query on Intune-enrolled devices from a C2 agent on an admin’s workstation, no password or proxy required. Data can be optionally stored in a LiteDB database that Maestro will check for valid tokens when subsequent commands are executed.

Maestro takes care of acquiring all the necessary tokens and making the right HTTP requests to execute the action you’re attempting to take in the context of an Intune administrator. Specifically, Maestro mimics the way Edge obtains a nonce from Azure and a signed PRT cookie from the local TPM, then signs in to Intune with the authorization code OAuth flow and obtains an appropriately scoped access token for the requested resource from the mysterious DelegationToken endpoint.

Executing the “Death from Above” Attack Path

Let’s walk through how to execute scripts, applications, and device query on Intune devices with Maestro using the Mythic C2 framework by Cody Thomas (@its_a_feature_) and the SpecterOps Apollo Mythic C2 agent for inline assembly execution.

If something goes wrong, keep in mind that you can run any Maestro command with the `-h` flag to display its full usage.

Let’s say our objective is to gain access to a code repository that only Chris Thompson has access to, and we suspect that there is credential material in their home directory, so we’d like to move laterally to their workstation.

Recon / Locating Users

First, we’ll get a list of Intune devices where cthompson is the primary user, including what users were logged on the last time the device checked in. When the -d option is set, Maestro searches the specified database file for a valid access token with the required scope, then refresh tokens, and finally PRTs before getting a nonce from Azure and fetching a PRT cookie signed by the local system’s TPM to authenticate subsequent requests.

.\Maestro.exe -d <name>.db get intune devices -f "userPrincipalName eq '<user>@<tenant>.onmicrosoft.com'" -p usersLoggedOn

Next, Maestro uses the PRT cookie to request a code and id_token from Azure, uses them to obtain a portalAuthorization blob containing a refresh token from the authorize endpoint, and uses the refresh token to obtain an access token for Intune device management from the DelegationToken endpoint.

Then Maestro uses the access token to obtain the list of Intune devices where cthompson is the primary user, including their device IDs and the IDs of users logged on.

If we execute the same command again, Maestro will reuse the access token rather than going through the entire authentication flow again.

Next, we’ll resolve the user ID bfb6a9c2-f3c8–4b9c-9d09–2924d38895f7 from the output of the previous command to a principal name, noting that it was cthompson with domain SID S-1–12–1–3216419266–1268577224–606669213–4153772243 who was logged into the Intune device with ID e537180b-6d04–427e-bf93-dbde818400eb the last time it checked in.

.\Maestro.exe -d Maestro.db get entra users -i <id> --reauth

Device Query

We’ll make sure that the user is still logged in right now using device query, which, similar to SCCM’s CMPivot feature, allows real-time read access to Intune enrolled devices. To do that, we’ll query the Windows Registry HKEY_USERS hive, which indicates that our target user’s domain SID has a session on the device right now.

.\Maestro.exe -d <name>.db exec intune device-query -i <device_id> -q 'WindowsRegistry("""HKU\*"""')

Script Execution

On another device, we’ll use PowerShell to encode a script we’d like to execute on the Intune device. We’ll just write a new file to the C drive for the purpose of this demonstration, but the world is your oyster here.

# Execute a script on the system
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss";
$script = "New-Item -Path 'C:\' -Name ""Maestro_Executed_$timestamp.txt"" -ItemType ""File""";
$bytes = [System.Text.Encoding]::UTF8.GetBytes($script);
$encoded = [Convert]::ToBase64String($bytes);
Write-Output $encoded

Finally, we’ll execute the script on the target device then periodically check whether the script has executed and whether the first line of output is available, which is all that is made available by MS Graph. This can take a REALLY long time, especially after running multiple Intune scripts in a short time, but you can use the -t 0 option if you want to wait as long as it takes to recover the script’s output.

.\Maestro.exe -d <name>.db exec intune script -i <device_id> -s <base64_encoded_script> -n <script_name> -t 0

If you don’t want to hang your C2 agent or if your access token expires before the script output is available, you can request output manually as well.

.\Maestro.exe -d <name>.db get intune script-output -i <script_id> — device <device_id>

Unfortunately, at the time of this writing, there is no FileContent device query action, so we can’t read the full contents of arbitrary files from remote devices with device query yet. You’ll have to get creative with script/application execution to accomplish that.

Application Execution

To execute an arbitrary application on an Intune device, simply point Maestro to the UNC path of the executable and either specify an Intune device ID, Entra device ID, or the ID of an existing Entra group containing the ID of the machine to execute the app on. If a device ID is specified, Maestro will automatically locate the device in both Intune and Entra and add it to a new Entra group before executing the application.

.\Maestro.exe -d <name>.db exec intune app -p <unc_path> -i <device_id>

Maestro will attempt to force the device to sync with Intune to fetch applications pending installation via its persistent notification channel, but this fails pretty often because Microsoft severely throttles the number of sync actions a device can make in a short amount of time. In this case, you can use the exec intune sync command to try again or wait until the device’s next naturally occurring check-in (every eight hours or after rebooting by default).

Maestro does not clean up the new app and Entra group automatically because of this uncertain execution window, but the commands needed to execute cleanup manually are displayed to the user.

Eventually (the only unit of time Intune supports 🥲), you should see the results of your application execution.

Using the Database

Right now, the best way to review the contents of the database file is by opening it in LiteDB, where you can review previously queried objects and credentials obtained from Azure.

What’s next for Maestro?

• More flexible token manipulation and storage
• Additional methods of execution
• Credential gathering via Intune (Cloud LAPS)
• Azure Arc support
• Command line options for items in the database
• More enumeration techniques with Entra and Resource Graph

Defensive Guidance

Brett Hawkins at IBM X-Force Red recently wrote an excellent, very detailed blog post about detecting Intune lateral movement techniques and provided Sentinel-ready KQL queries that can be used to alert upon suspicious Intune script and application execution. There are lots of events of interest generated from this attack path that the KQL queries can be modified to support.

When creating detections, keep in mind that the attacker can control the information that Maestro and similar tools send to Microsoft Graph in HTTP requests (e.g., User Agent, time between requests, etc.). If possible, baseline your Intune admins’ legitimate activities and alert upon suspicious usage of these features. For example, if Intune apps are deleted very rarely in your organization or are typically created several days before they are assigned, those events might be indicators of compromise.

Have questions or want to collaborate on new functionality or research?

Hit me up on Twitter (@_Mayyhem) or in the BloodHound Slack!

Maestro was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Maestro appeared first on Security Boulevard.

With just days to go before the U.S. election, securing our digital landscape is more critical than ever. Our latest infographic, Vote for API Security: Which States Are Leading the Charge?, provides an in-depth analysis of state-by-state API infrastructures, highlighting both strengths and vulnerabilities. Cequence analyzed the public-facing attack surface of each state in the […]

The post Leading the Way in API Security: Which U.S. States Are Setting the Standard? appeared first on Cequence Security.

The post Leading the Way in API Security: Which U.S. States Are Setting the Standard? appeared first on Security Boulevard.

UnitedHealth Group, which is still picking up the pieces after a massive ransomware attack that affected more than 100 million people, hired a new and experienced CISO to replace the previous executive who became a target of lawmakers for having no cybersecurity background.

The post UnitedHealth Hires Longtime Cybersecurity Executive as CISO appeared first on Security Boulevard.

A critical vulnerability (CVE-2024-43573) in Microsoft Windows MSHTML platform allows for spoofing attacks.  Affected Platform  The vulnerability identified as CVE-2024-43573 affects Microsoft Windows systems, specifically within the MSHTML platform component. MSHTML is the legacy rendering engine within Microsoft Windows that is responsible for handling and displaying HTML content across various Microsoft applications. The flaw in...

The post CVE-2024-43573 – Microsoft Windows Security Vulnerability – October 2024 appeared first on TrueFort.

The post CVE-2024-43573 – Microsoft Windows Security Vulnerability – October 2024 appeared first on Security Boulevard.

What is data discovery and classification? Let's answer that and look at how your organization can improve its data protection program.

The post Why Data Discovery and Classification are Important appeared first on Security Boulevard.

DEF CON 32 - AppSec Village - DEF CON 32 - Fine Grained Authorisation with Relationship Based Access Control

Authors/Presenters:Ben Dechrai

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Fine Grained Authorisation with Relationship Based Access Contro appeared first on Security Boulevard.

The 14th Annual Cyber Security Summit in Minneapolis proved invaluable, gathering experts from government, law enforcement and various industries to discuss the future of cybersecurity under this year’s theme, All In for Next. Over three days, attendees engaged with thought-provoking presentations and hands-on demonstrations covering the challenges and opportunities facing the cybersecurity landscape.  AI in Cybersecurity: Navigating Threats, Opportunities and ... Read More

The post Key Takeaways from the Cyber Security Summit in Minnesota: AI, Data Security and MSSP Differentiation appeared first on Nuspire.

The post Key Takeaways from the Cyber Security Summit in Minnesota: AI, Data Security and MSSP Differentiation appeared first on Security Boulevard.