当前位置:首页 > 报告详情

调查 Microsoft Intune 中的恶意脚本.pdf

上传人: 可*** 编号:991888 2025-12-07 57页 2.63MB

1、Investigating a malicious script in Microsoft Intune:A DFIR case studySANS DFIR Summit 20252 2025 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited,a private English company limit

2、ed by guarantee.All rights reserved.USCS026964-1AContents12345AgendaBaseline IntuneForensic analysisTools usedResearch6Summary3 2025 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limi

3、ted,a private English company limited by guarantee.All rights reserved.USCS026964-1Awhoamiwhoami Dennis Labossiereexperience.ps1-job-degrees All-years-certs All Director within the KPMG Cyber Threat Management practice BS degree from Utica College(n/k/a Utica University)in cybercrime forensics and i

4、nvestigations MS degree from Utica College(n/k/a Utica University)in computer forensics and cyber operations Ten years of DFIR experience SANS GCFA SentinelOne Incident Response Engineer MITRE ATT&CK Defender CTI and Adversary Emulationcyber_passions.ps1-all Threat hunting and detection engineering

5、Ransomware investigationspersonal.ps1-all Husband and father Former collegiate baseball player Glamor camper(camping with electric hookup)who loves to fish and cook4 2025 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms a

6、ffiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.USCS026964-1AWIIFM?We all havesomething to learn(e.g.,defensive measures,new analytic technique,or a new data source).Reminder to leverage all available telemetry:Think about what data may be

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **背景**:2023年6月,KPMG应对一起入侵事件,远程攻击者通过修改Microsoft Intune中的“TeamsFirewall updater”脚本,成功获取了高权限账户访问权限。 2. **调查方法**:通过Microsoft Graph API获取Intune脚本信息,分析修改后的PowerShell脚本内容,使用CyberChef解码Base64编码的脚本。 3. **取证分析**: - 分析修改后的脚本,发现其下载并安装远程访问应用程序。 - 利用Windows事件日志、注册表、Intune特定日志、Azure服务主体登录日志和Intune审计日志进行取证分析。 4. **工具**:使用Azure Portal、Intune Management Portal、Azure Graph API、KPMG Digital Responder、CyberChef、Registry Explorer等工具。 5. **研究**:参考了多篇关于Microsoft Intune、PowerShell脚本和取证分析的文章和博客。 6. **总结**:详细介绍了如何通过Intune和Graph API进行取证分析,并提供了相关工具和研究资源。
"Intune脚本篡改揭秘" "Azure安全漏洞案例分析" 恶意脚本追踪"
客服
商务合作
小程序
服务号
折叠