Pytune: Weaponizing Microsoft Intune for Post-Exploitation
Pytune
Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support.
Microsoft Intune is a cloud-based endpoint management solution designed to manage a variety of devices, including PCs and mobile devices across multi platforms. This solution assists IT administrators with tasks such as configuration management, compliance assessment, and data protection. Therefore, an increasing number of enterprises are adopting Intune for their device management needs.
During our research, we identified several under-documented features (which Microsoft does not classify as vulnerabilities) that allow attackers to easily bypass Condtional Access in Microsoft Entra ID by leveraging Intune. Furthermore, by abusing Intune’s various capabilities, we discovered that attackers could gain access to on-premises Active Directory and internal network infrastructure.
Note that this is a proof of concept tool. The tool is provided as is, without warranty of any kind.
Supported OSs are as follows:
- Windows
- Android
- Linux
This tools gives red teamers following advantages;
- Enroll a fake device to Entra ID and Intune
- Steal device configurations such as VPN, and Wi-Fi
- Leak domain computer credentials if hybrid autopilot is enabled
- Download installer files for lin-of-business apps, powershell scritps and custom Win32 apps (.bat, .exe …etc)
- Bypass Entra ID Conditional Access policy of “Marked as Compliant”
- Clean up
