SUNBURST 2.0: Supply-chain Attack on Sysmon via Compromised Microsoft Intune Configurations

Executive Summary: In March 2026, a novel supply-chain attack dubbed SUNBURST 2.0 was uncovered, targeting Microsoft Intune-managed endpoints by injecting malicious configurations into Sysmon (System Monitor). The attack exploited the dynamic nature of Intune’s device management pipeline to deliver and execute a compromised Sysmon configuration file, enabling lateral movement, data exfiltration, and persistence across enterprise environments. This campaign represents a significant evolution in adversarial tradecraft, leveraging cloud-based device management platforms as vectors for deep-system compromise. Organizations leveraging Microsoft Intune must prioritize configuration validation, runtime monitoring, and Zero Trust principles to mitigate this threat.

Key Findings

• Supply-chain Compromise Pathway: Attackers compromised Microsoft Intune tenant configurations to silently push malicious Sysmon XML rules to managed endpoints.
• Evasion via Legitimate Tools: Sysmon, a trusted Microsoft sysadmin tool, was weaponized to log and exfiltrate sensitive data while blending in with normal telemetry.
• Lateral Movement Enabled: Malicious Sysmon rules included event filtering and forwarding to command-and-control (C2) infrastructure, facilitating data theft and network reconnaissance.
• Persistence Mechanism: Attackers embedded configuration persistence via Intune’s “proactive remediation” scripts, ensuring reinfection even after Sysmon updates.
• Evidence of Nation-State Attribution: Early IOCs and TTPs correlate with a known APT group active since 2023, suggesting state-sponsored objectives.

Attack Vector: How SUNBURST 2.0 Exploited Intune and Sysmon

The SUNBURST 2.0 campaign capitalized on the trust relationship between Microsoft Intune and endpoint agents. Unlike traditional supply-chain attacks that compromise software binaries, this attack compromised the configuration pipeline—a less scrutinized but highly privileged attack surface.

Attackers gained initial access via phishing or credential harvesting, then moved laterally to compromise an Intune administrator account or tenant with elevated privileges. Using the Intune management portal or Graph API, they uploaded a malicious Sysmon configuration file (e.g., sysmon64.config.xml) disguised as a routine rule update. Because Intune enforces configuration deployment within minutes, the malicious rules were pushed to thousands of endpoints globally without requiring local admin rights.

The malicious configuration included:

• Event filtering rules to capture sensitive registry keys, process executions, and network connections.
• Forwarding rules directing events to attacker-controlled C2 servers via DNS tunneling or HTTPS beacons.
• Hidden persistence via Intune’s “proactive remediation” scripts that reapply the malicious Sysmon config after reboots or Intune sync cycles.

Why Sysmon Was the Ideal Target

Sysmon is a Microsoft-signed, kernel-level monitoring tool widely deployed in enterprise environments for threat detection and incident response. Its deep visibility makes it a prime target for adversaries seeking to manipulate telemetry from within. By compromising its configuration, attackers could:

• Bypass EDR/AV: Malicious Sysmon logs could be crafted to avoid triggering endpoint detection rules.
• Blend in with Noise: Legitimate Sysmon telemetry is high-volume; malicious events could hide in plain sight.
• Achieve Stealth Persistence: Sysmon configurations are rarely rolled back, and changes persist across updates.

Moreover, Sysmon rules are XML-based and human-readable, but their complexity and size (often 10KB+) make manual inspection impractical at scale—especially when distributed via Intune’s automated pipelines.

Detection and Response Challenges

Traditional endpoint detection (EDR) struggled to identify SUNBURST 2.0 due to several factors:

• Legitimate Process Names: Sysmon processes (Sysmon64.exe) and drivers (SysmonDrv.sys) were used legitimately, masking malicious behavior.
• Encrypted C2 Channels: Exfiltrated data was often routed through legitimate DNS or HTTPS traffic using Sysmon’s network logging.
• Intune Blind Spots: Many organizations lacked visibility into Intune configuration changes, especially those pushed via Graph API or third-party integrations.

Organizations required:

• Continuous monitoring of Intune audit logs for unauthorized configuration changes.
• Behavioral analysis of Sysmon process execution and network connections.
• Automated validation of configuration file hashes against known-good baselines.

Lessons from SUNBURST 2.0: A Call for Zero Trust in Device Management

The attack underscores a critical evolution in cyber threats: the weaponization of management tools themselves. As cloud-based device management (MDM/UEM) platforms like Intune, Jamf, and Workspace ONE become ubiquitous, they represent high-value targets for supply-chain compromise.

To defend against similar threats, organizations must adopt a Zero Trust Architecture with the following pillars:

• Least Privilege: Enforce role-based access control (RBAC) for Intune administrators; require multi-factor authentication (MFA) and conditional access.
• Configuration Integrity: Implement configuration drift detection using tools like Microsoft Defender for Cloud or third-party policy-as-code solutions (e.g., Open Policy Agent).
• Runtime Monitoring: Deploy behavioral monitoring (UEBA) to detect anomalous Sysmon rule changes or event forwarding patterns.
• Supply-chain Transparency: Maintain an SBOM (Software Bill of Materials) for all configuration files and scripts deployed via Intune.
• Isolation and Segmentation: Use network segmentation to limit lateral movement from compromised endpoints.

Recommendations for Immediate Action

Organizations currently using Microsoft Intune and Sysmon should take the following steps:

• Audit Intune Configurations: Review all device compliance and configuration profiles for unauthorized or suspicious Sysmon XML files.
• Validate Sysmon Configurations: Use tools like sysmon-config or Microsoft’s SysmonAnalyzer to compare deployed rules against known-good baselines.
• Enable Intune Audit Logs: Monitor the Microsoft Intune admin center audit logs for changes to device profiles, PowerShell scripts, and configuration files.
• Implement Runtime Detection Rules: Create custom detection rules in SIEM platforms to flag Sysmon process execution with unusual command-line arguments or network destinations.
• Test Proactive Remediations: Review all “proactive remediation” scripts in Intune for hidden persistence mechanisms.
• Conduct Tabletop Exercises: Simulate a compromised Intune tenant to test detection and response capabilities.

Long-term Strategic Implications

SUNBURST 2.0 signals a shift from attacking software to attacking how software is configured and managed. This trend will likely expand to other MDM/UEM platforms and cloud management consoles (e.g., Azure Policy, AWS Systems Manager). Future attacks may involve:

• Compromised Group Policy Objects (GPOs) pushed via Intune hybrid configurations.
• Malicious PowerShell scripts signed with stolen Intune code-signing certificates.
• AI-driven configuration manipulation, where attackers use LLMs to craft stealthy Sysmon rules.

To stay ahead, security teams must treat device management platforms as critical attack surfaces and integrate them into their threat modeling and red teaming exercises.

Conclusion

SUNBURST 2.0 represents a watershed moment in supply-chain security, demonstrating how trusted cloud management tools can be hijacked to deliver silent, scalable attacks. Its success hinged not on exploiting a zero-day, but on abusing the trust in configuration and telemetry systems. As organizations accelerate their shift to cloud-managed endpoints, they must adopt a proactive, Zero