Bring Your Own Policy :
Weaponizing ADMX for Cloud-to-On-Prem Lateral Movement
31 July 2026 | 10:00 AM ET | 2+ Hours Duration
Overview
In Enterprise IT, Azure is one of the leading cloud service providers across the globe. Intune is a market leading Endpoint Management suite that enables organizations to securely manage their endpoint. It is part of the same Microsoft Cloud ecosystem as Azure.
This has led to Intune becoming a high value target for threat actors. One of the abusable features in Intune is the ability to execute platform scripts directly on enrolled devices at scale.
To mitigate this risk of Intune abuse, Microsoft started introducing changes from 2025 to cut down the Microsoft Graph permissions available for its First Party applications. This fixed the Intune abuse especially for Script execution which is crucial during Cloud to On-Prem Lateral movement.
In this talk, we will explore a novel approach to subvert Intune that has still not been thwarted by any current Microsoft countermeasures.
We will showcase how we can still abuse a Microsoft First Party app with limited Microsoft Graph permission scopes to weaponize ADMX Policy and deploy a Device Configuration on Intune enrolled Windows endpoints, to execute an old-time registry persistence mechanism, via Local Group Policy for lateral movement in Hybrid environments.
We will begin with Microsoft Entra ID as the primary IAM (Identity and Access Management) system and learn about Entra Directory Roles.
We will analyze how Intune works as an MDM solution which is used for enforcing compliance and deploying configurations, converting cloud instructions into real changes across Windows machines.
Next, we will explore Microsoft Graph as a unified gateway for managing M365, Entra ID and Intune operations.
We will follow up with what Local Group Policy is, and how it is linked to Windows Registry Hive.
Topics we will cover in our webinar are
Then, we shall understand ADMX templates (Administrative Templates XML) and examine how the Graph API is utilized for deploying ADMX-backed configurations.
Mainly, we will have a step-by-step demonstration showcasing the Intune ADMX abuse. We shall see how threat actors blend Remote Code Execution triggers in benign everyday user actions.
Lastly, we will have a look at how the lack of ADMX content logging in Intune logs acts as a silent aid for adversaries and blinds defenders.
Register
Unlock exclusive offers, webinars & giveaways
Attend Live Webinar
31 July 2026 | 10:00 AM ET | 2+ Hours Duration
Practice Attacks
Explore challenges and labs focused on Red Teaming on the Red Labs Platform
Get Webinar Participation Certificate
MEET THE INSTRUCTORS
Hitesh Duseja
Hitesh Duseja is a Security Researcher at Altered Security with a strong passion for Enterprise Cloud Security, and Red Teaming. He has an overall 7.5+ years of hand-on experience in the Information Security Domain and has been present on both the sides of the security boundary. He continuously researches attack vectors in Azure with a focus on Entra ID, Hybrid Identity and Intune to simulate threat actors and come up with implementable detective and preventive mitigations to help secure enterprise environments.
Vishal Raj
Vishal Raj is a security researcher at Altered Security specializing in cloud security, red teaming, and network security. With a strong focus on identifying and exploiting misconfiguration in modern cloud environments, Vishal is passionate about enhancing enterprise security by simulating real-world attack scenarios and providing actionable defense strategies. Vishal extensively conducts research on Microsoft Entra ID, contributing to the understanding of identity and access management vulnerabilities in cloud environments. In addition to his technical expertise, Vishal actively contributes to the cybersecurity community by writing insightful blogs on a variety of security topics. His writings aim to bridge the gap between theoretical concepts and practical application, empowering others in the field.