BYOVD (Vulnerable Driver) × Microsoft Intune Management Extension

A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Microsoft Intune Management Extension, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Intune Management Extension

Technique

BYOVD (Vulnerable Driver)

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-04-04

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-04-04 · original source · via raw

Reported as

bypass Windows Defender Application Control (WDAC) by exploiting a command injection

Mechanism

The Intune Management Extension executable (Microsoft.Management.Services.IntuneWindowsAgent.exe) accepted a -PowerShell parameter with improper argument escaping, allowing command injection. An attacker could craft arguments to write a file to disk, which inherited NTFS Extended Attributes marking it as created by a Managed Installer. This made the file trusted by WDAC, allowing execution of arbitrary scripts or binaries even in Constrained Language mode.

Detection & mitigation

Monitor for suspicious use of Microsoft.Management.Services.IntuneWindowsAgent.exe with -PowerShell parameter, especially from non-system processes. Ensure Intune Management Extension is updated to remove the vulnerable switch. Audit WDAC Managed Installer configurations to limit trust scope.

BYOVD (Vulnerable Driver) has also been recorded against

Avast Baidu BattlEye Bitdefender Carbon Black Cortex CrowdStrike Cylance Easy Anti-Cheat EasyAntiCheat Elastic Fortinet

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.