Maestro

Maestro is an open-source C# post-exploitation tool designed to interact with Intune/EntraID from a C2 agent on a user's workstation, without requiring knowledge of the user's password or Azure authentication flows, token manipulation, or web-based administration console access. Maestro makes interacting with Intune and EntraID (and potentially other Azure services) from C2 much easier, as the operator does not need to obtain the user's cleartext password, extract primary refresh token (PRT) cookies from the system, run additional tools or a browser session over a SOCKS proxy, or deal with Azure authentication flows, tokens, or conditional access policies to execute actions in Azure on behalf of the logged-in user. Maestro is a wrapper for local PRT cookie requests and calls to the Microsoft Graph API, featuring numerous quality-of-life enhancements for red teamers. It enables several attack paths between on-premises and Azure environments. For example, by running Maestro on an Intune admin's machine, you can execute PowerShell scripts on any enrolled device without needing to know the admin's credentials, even if conditional access policies specify MFA, device compliance, and hybrid-joined device requirements.