Stryker Attack Readiness Assessment for Microsoft 365 Tenants
A read-only PowerShell tool that audits your Microsoft 365 tenant against the CISA hardening recommendations issued after the Stryker Corporation cyberattack (March 2026). Produces an executive HTML report with a readiness score, detailed findings, and step-by-step remediation instructions for Entra ID and Microsoft Intune.
The scan performs read-only checks only — it will not modify, write to, or change your tenant configuration. A separate optional setup script (Setup-StrykerScanApp.txt) is included for creating an app registration if needed for automated or MSP use — review it before running.
By GALVNYZ
On March 11, 2026, Iran-linked threat actors attacked Stryker Corporation using wiper malware distributed through compromised Microsoft Intune endpoint management. CISA identified the root cause as configuration weaknesses — not software vulnerabilities:
- Admin accounts without phishing-resistant MFA
- Overly broad admin roles with no scope restrictions
- No multi-admin approval for destructive operations (device wipe, script deployment)
- Missing Conditional Access policies for admin portals
StrykerScan checks your tenant for these exact vulnerabilities and tells you how to fix them.
# 1. Clone the repository
git clone https://github.com/Galvnyz/StrykerScan.git
cd StrykerScan
# 2. Install required modules (one-time)
Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Identity.DirectoryManagement, Microsoft.Graph.Identity.SignIns, Microsoft.Graph.DeviceManagement, Microsoft.Graph.Users -Scope CurrentUser
# 3. Run the scan (interactive sign-in)
.\Invoke-StrykerScan.ps1First time on Windows? If you get a script execution error, run
Set-ExecutionPolicy RemoteSigned -Scope CurrentUserfirst.
A browser window will open for Microsoft sign-in. After authentication, the scan runs 20 security checks and generates three output files:
| Output | Purpose |
|---|---|
StrykerScan-<Tenant>-<timestamp>.html |
Executive report with readiness score, findings, and remediation |
StrykerScan-<Tenant>-<timestamp>.csv |
Machine-readable results for tracking changes over time |
StrykerScan-<Tenant>-<timestamp>.log |
Full log of the scan run with all check details |
StrykerScan supports two authentication modes.
.\Invoke-StrykerScan.ps1Opens a browser for Microsoft 365 login. The signed-in user must hold one of these Entra ID roles:
- Security Reader (minimum for full results)
- Global Reader or Global Administrator also work
All 20 checks work with Security Reader. No high-privilege admin role is required.
$secret = ConvertTo-SecureString "your-client-secret" -AsPlainText -Force
.\Invoke-StrykerScan.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret $secretRequires an Entra ID app registration with the correct permissions. See App Registration Setup below.
The included Setup-StrykerScanApp.txt script automates the creation of the required app registration with all permissions.
- Review the script — open
Setup-StrykerScanApp.txtand read through it to understand what it will create - Rename the file — change the extension from
.txtto.ps1 - Run as Global Administrator — the script requires Global Admin to create app registrations and grant admin consent
# Rename and run
Rename-Item .\Setup-StrykerScanApp.txt .\Setup-StrykerScanApp.ps1
.\Setup-StrykerScanApp.ps1| Resource | Details |
|---|---|
| App name | StrykerScan - Security Assessment (Read-Only) |
| Description | Clearly identifies the app as a read-only security assessment tool |
| Client secret | 1-year validity, named StrykerScan secret - created by setup script |
| Admin consent | Automatically granted for all permissions |
All permissions are read-only application permissions (not delegated):
| Permission | What it reads | Used by |
|---|---|---|
Directory.Read.All |
Admin roles, users, sign-in activity | STK-001, 013, 015 |
Organization.Read.All |
Tenant name, license SKUs | Report header, STK-008 |
Policy.Read.All |
Conditional Access policies, security defaults | STK-004, 005, 009, 010, 012, 016 |
DeviceManagementConfiguration.Read.All |
Intune compliance policies, multi-admin approval | STK-006, 011 |
DeviceManagementRBAC.Read.All |
Intune RBAC role assignments | STK-007 |
DeviceManagementApps.Read.All |
Intune audit events for device wipe detection | STK-014 |
AuditLog.Read.All |
Sign-in activity for stale admin detection | STK-014, 015 |
RoleManagement.Read.Directory |
PIM role assignment schedules | STK-008 |
The script outputs your Tenant ID, Client ID, and Client Secret. Save these securely — the client secret cannot be retrieved again.
$secret = ConvertTo-SecureString "the-output-secret" -AsPlainText -Force
.\Invoke-StrykerScan.ps1 -TenantId "your-tenant-id" -ClientId "your-client-id" -ClientSecret $secretStrykerScan runs 20 checks across 4 categories, each mapped to specific CISA recommendations.
| ID | Check | Severity | What it detects |
|---|---|---|---|
| STK-001 | Global Admin Count | Critical | More than 2 Global Administrators |
| STK-002 | Admin MFA Registration | Critical | Privileged admins with no MFA method registered |
| STK-003 | Admin MFA Strength | High | Admins using SMS/voice MFA instead of phishing-resistant methods |
| STK-008 | PIM Configuration | Medium | Standing admin access instead of just-in-time elevation via PIM |
| STK-015 | Stale Admin Accounts | High | Admin accounts inactive >90 days still holding privileged roles |
| STK-017 | On-Prem Synced Admins | High | Privileged admin accounts synced from on-premises AD (compromise path) |
| STK-019 | Privileged Group Assignments | High | Unprotected groups assigned to admin roles (privilege escalation path) |
| STK-020 | Overprivileged Apps | High | App registrations with dangerous Intune/device management write permissions |
| ID | Check | Severity | What it detects |
|---|---|---|---|
| STK-004 | CA for Admin Portals | Critical | No CA policy targeting admin portal access for privileged roles |
| STK-005 | Phishing-Resistant Auth | Critical | No CA policy requiring phishing-resistant auth strength for admins |
| STK-009 | Security Defaults | Medium | Security Defaults disabled without equivalent CA policies |
| STK-010 | Legacy Auth Blocked | High | Legacy authentication protocols not blocked |
| STK-012 | Admin Sign-In Risk | High | No CA policy evaluating sign-in risk for admin accounts |
| STK-016 | Admin Device Compliance | High | No CA policy requiring admins to use compliant devices |
| STK-018 | CA Policy Exclusions | High | Privileged admin accounts excluded from Conditional Access policies |
| ID | Check | Severity | What it detects |
|---|---|---|---|
| STK-006 | Multi-Admin Approval | Critical | Intune multi-admin approval not enabled for destructive operations |
| STK-007 | RBAC Role Scope | High | Intune roles with overly broad scope (no scope tags) |
| STK-011 | Device Compliance Policies | Medium | No device compliance policies defined in Intune |
| ID | Check | Severity | What it detects |
|---|---|---|---|
| STK-013 | Break-Glass Account | Medium | No emergency access (break-glass) account detected |
| STK-014 | Device Wipe Audit | Critical | Mass device wipe actions in last 30 days (active attack indicator) |
The Stryker Readiness Score (0-10) is calculated from check results weighted by severity:
| Severity | Weight |
|---|---|
| Critical | 4 |
| High | 3 |
| Medium | 2 |
| Low | 1 |
Checks returning NotApplicable (e.g., PIM without Entra ID P2 license) are excluded from the score.
| Score | Rating | Meaning |
|---|---|---|
| 8-10 | Well Protected | Tenant meets most CISA recommendations |
| 5-7 | Needs Attention | Significant gaps that should be addressed |
| 0-4 | High Risk | Tenant is vulnerable to the Stryker attack pattern |
Every scan exports a CSV file with the same data as the HTML report. Import CSVs into Excel or Power BI to track your readiness score and individual check results over time.
The CSV columns are: ScanDate, TenantName, TenantId, Score, CheckId, CheckName, Category, Status, Severity, Finding, Remediation, Reference, CisaMapping.
To combine multiple scans into a single tracking spreadsheet:
Get-ChildItem .\StrykerScan-*.csv | Import-Csv | Export-Csv .\StrykerScan-History.csv -Append -NoTypeInformation# Save output to a specific directory
.\Invoke-StrykerScan.ps1 -OutputDirectory "C:\Reports"
# Suppress automatic browser open
.\Invoke-StrykerScan.ps1 -NoOpenReport- Windows 10/11 or Windows Server (recommended). macOS/Linux work with PowerShell 7 but the auto-open report feature may not function.
- PowerShell 7.0+ (run
$PSVersionTable.PSVersionto check) - Microsoft Graph PowerShell SDK modules (see Quick Start for install command)
- Entra ID role — see Authentication for minimum requirements
- Microsoft 365 with Intune — some checks require Intune to be configured in the tenant
StrykerScan/
├── Invoke-StrykerScan.ps1 # Main orchestrator
├── Setup-StrykerScanApp.txt # App registration setup script (.txt for safety)
├── checks/ # Individual security check scripts
│ ├── Check-GlobalAdminCount.ps1 # STK-001
│ ├── Check-AdminMfaRegistration.ps1 # STK-002
│ ├── Check-AdminMfaStrength.ps1 # STK-003
│ ├── Check-ConditionalAccessAdminPortals.ps1 # STK-004
│ ├── Check-PhishingResistantAuth.ps1 # STK-005
│ ├── Check-MultiAdminApproval.ps1 # STK-006
│ ├── Check-IntuneRbacRoles.ps1 # STK-007
│ ├── Check-PrivilegedIdentityManagement.ps1 # STK-008
│ ├── Check-SecurityDefaults.ps1 # STK-009
│ ├── Check-LegacyAuthentication.ps1 # STK-010
│ ├── Check-DeviceCompliancePolicies.ps1 # STK-011
│ ├── Check-AdminSignInRiskPolicy.ps1 # STK-012
│ ├── Check-BreakGlassAccount.ps1 # STK-013
│ ├── Check-DeviceWipeAudit.ps1 # STK-014
│ ├── Check-StaleAdminAccounts.ps1 # STK-015
│ ├── Check-AdminDeviceCompliance.ps1 # STK-016
│ ├── Check-OnPremSyncedAdmins.ps1 # STK-017
│ ├── Check-CaPolicyExclusions.ps1 # STK-018
│ ├── Check-PrivilegedGroupAssignments.ps1 # STK-019
│ └── Check-OverprivilegedApps.ps1 # STK-020
├── helpers/
│ ├── Connect-StrykerGraph.ps1 # Authentication helper
│ └── New-StrykerReport.ps1 # HTML report generator
└── report/
└── template.html # Report HTML/CSS template
- CISA Advisory: Endpoint Management System Hardening (March 18, 2026)
- Microsoft: Best Practices for Securing Microsoft Intune
- Microsoft: Emergency Access Accounts
- Microsoft: Authentication Strengths
- Microsoft: Multi-Admin Approval for Intune
MIT
This tool is for informational purposes only. It performs read-only checks and does not modify any tenant configuration. Results should be validated by a qualified security professional before making changes to your environment. Results may be incomplete if the account running the scan lacks sufficient permissions. GALVNYZ is not responsible for any actions taken based on the output of this tool.
"Stryker" refers to the publicly reported cybersecurity incident involving Stryker Corporation. This tool is not affiliated with, endorsed by, or associated with Stryker Corporation or CISA.