AgentExecutor.exe

Intune Management Extension included on Intune Managed Devices

Paths

• C:\Program Files (x86)\Microsoft Intune Management Extension\AgentExecutor.exe

Commands

Execute

Spawns powershell.exe and executes a provided powershell script with ExecutionPolicy Bypass argument

Use case: Execute unsigned powershell scripts

Privileges: User

AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" 0 1

Execute

If we place a binary named powershell.exe in the specified folder path, agentexecutor.exe will execute it successfully

Use case: Execute a provided EXE

Privileges: User

AgentExecutor.exe -powershell "{PATH_ABSOLUTE:.ps1}" "{PATH_ABSOLUTE:.1.log}" "{PATH_ABSOLUTE:.2.log}" "{PATH_ABSOLUTE:.3.log}" 60000 "{PATH_ABSOLUTE:folder}" 0 1

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml