Bring Your Own Policy: Weaponizing ADMX for Cloud-to-On-Prem Lateral Movement
Security Researcher @ AlteredSecurity
View Profile
Talk Abstract
In Enterprise IT, Azure is one of the leading cloud service providers across the globe. Intune is a market leading Endpoint Management suite that enables organizations to securely manage their endpoint. It is part of the same Microsoft Cloud ecosystem as Azure. This has led to Intune becoming a high value target for threat actors. One of the abusable features in Intune is the ability to execute platform scripts directly on enrolled devices at scale.
To mitigate this risk of Intune abuse, Microsoft started introducing changes from 2025 to cut down the Microsoft Graph permissions available for its First Party applications. This fixed the Intune abuse especially for Script execution which is crucial during Cloud to On-Prem Lateral movement.
In this talk, we will explore a novel approach to subvert Intune that has still not been thwarted by any current Microsoft countermeasures. We will showcase how we can still abuse a Microsoft First Party app with limited Microsoft Graph permission scopes to weaponize ADMX Policy and deploy a Device Configuration on Intune enrolled Windows endpoints, to execute an old-time registry persistence mechanism, via Local Group Policy for lateral movement in Hybrid environments.
About the Speakers
Hitesh Duseja
Security Researcher @ AlteredSecurity
Hitesh Duseja is a Security Researcher with a strong passion for Enterprise Cloud Security, and Red Teaming. He continuously researches attack vectors in Azure with a focus on Entra ID, Hybrid Identity and Intune to simulate threat actors and come up with implementable detective and preventive mitigations to help secure enterprise environments.
Hitesh works at Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/.
View Profile
Vishal Raj
Security Researcher @ AlteredSecurity
View Profile