Abusing AirWatch MDM Services to Bypass MFA
Tags
attack-pattern: Model Credentials - T1589.001 Device Registration - T1098.005 Domain Accounts - T1078.002 Javascript - T1059.007 Multi-Factor Authentication - T1556.006 Server - T1583.004 Server - T1584.004
Show in Graph
Common Information
Type Value
UUID 573d6d4e-5752-4975-97e9-45ec28f5e2c3
Fingerprint bc11d918c873ba89
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 11, 2020, noon
Added to db Aug. 30, 2024, 11:30 p.m.
Last updated Sept. 11, 2024, 8:23 p.m.
Headline UNKNOWN
Title Abusing AirWatch MDM Services to Bypass MFA
Detected Hints/Tags/Attributes 56/1/20
Source URLs
Redirection Url
Details Source https://www.optiv.com/insights/source-zero/blog/abusing-airwatch-mdm-services-bypass-mfa
URL Provider
Details Provider Source level domain
Details optiv.com www.optiv.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 346 Optiv Blog https://www.optiv.com/resources/blog/feed 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
awmdm.com
Details Domain 1 
discovery.awmdm.com
Details Domain 1 
deviceregistry.aws
Details Domain 20 
vmware.com
Details Domain 1 
awcredentials.aws
Details Domain 1 
vmware.awmdm.com
Details Domain 1 
airwatchenroll.aws
Details Domain 1 
authenticationendpoint.aws
Details Domain 1 
com.boxer.email
Details Domain 1 
authetnicationendpoint.aws
Details Domain 1 
com.box.email
Details Domain 72 
optiv.com
Details Email 1 
deviceplatformid=2&emailaddress=test@vmware.com
Details Email 65 
legal@optiv.com
Details File 20 
com.ai
Details md5 1 
53edf056709f7e16a1c3fb6ac56aea51
Details sha1 1 
3c411751c74c4f6cbceac8e39dd053d4c226d78d
Details sha1 1 
ae869987f1324beba92dfaca4edc4f0d896fdf49
Details sha1 1 
409853f111044398a463119d878f34665e23271f
Details Url 1 
https://vmware.awmdm.com/devicemanagement/enrollment/begin-