The recent cyberattack on the Stryker Corporation has created chaos through healthcare and cybersecurity sectors. Beginning on March 11, 2026, the incident disrupted global operations, manufacturing, and surgical schedules. This wasn’t a standard ransomware play; it was a clinical execution of “living off the land” techniques that turned an organization’s own management tools against it. “Living off the land” simply describes attacks based on common admin tools, improperly managed credentials and allowing broad privileges.
The Attack Vector: Weaponizing Global Admin Rights
Reports indicate that the attackers hijacked accounts with Global Administrator rights within Stryker’s Microsoft environment. By compromising these credentials, threat actors gained access to Microsoft Intune, possibly the most common cloud-based endpoint management platform available, to manage the company’s devices. Instead of encrypting data for a fee, they issued mass “wipe” commands, remotely deleting the operating systems of tens of thousands of servers and workstations. Intune does not natively manage server configuration, so the reports need further investigation as there may have been multiple methods in play.
This highlights something that has been said for oh so many years! Allowing standing access to Global, Domain, or Enterprise Admin roles creates a wide-open door for total infrastructure destruction. Don’t do this!
Beyond Intune: The Group Policy Factor
While this specific breach spotlighted cloud-based management, it is critical to recognize that this is not just an “Intune problem.” Most organizations still rely heavily on Active Directory and Group Policy (GPO) to manage their core infrastructures. Whether an organization is cloud-native, on-premises, or hybrid, the risk remains the same: any configuration management solution—be it GPO, Intune, or SCCM—can be weaponized if it is not aligned with Zero Trust and Least Privilege models. If a hacker gains Domain Admin or Global Admin rights, they possess the keys to push malicious configurations across the entire enterprise in seconds.
CISA’s Stance: Zero Trust is Non-Negotiable
In a recent statement, the Cybersecurity and Infrastructure Security Agency (CISA) provided urgent recommendations for critical infrastructure. Their guidance centers on moving away from legacy “perimeter” security toward a strict Zero Trust architecture:
- Eliminate Standing Privileges: Administrative rights should never be “always on.” Organizations must move to Just-in-Time (JIT) elevation or role-based delegation that is tightly controlled and monitored.
- Enforce Least Privilege: Every user and admin must have the minimum access necessary for a specific, time-bound task.
- Hardening Management Tools: Systems like GPO and Intune are high-value targets. They require MFA and rigorous configuration locking.
The Solution: Visibility and Change Management
The Stryker incident proves that once an attacker has admin rights, their actions appear “legitimate” to standard security tools. To counter this, enterprises must implement proactive change management and deep auditing.
SDM Software’s Change Manager for Group Policy and Intune is an essential component for securing these management engines. It ensures that no single administrator can unilaterally push a destructive policy or “wipe” command without oversight.
- Comprehensive Change Management: SDM Software introduces a layer of “checks and balances,” requiring approvals for sensitive modifications.
- Deep Auditing & Compliance: While standard logs show who logged in, SDM provides granular visibility into exactly what was changed within a policy by whom and when, as well as catching unauthorized drifts before they are weaponized.
- Hybrid Resilience: By managing both GPO and Intune in one interface, SDM Software eliminates the security gaps found in hybrid environments.
The SDM founder, leader, visionary and Configuration Expert Darren Mar-Elia (aka GPOGuy) published a blog post and whitepaper that point to the issues that allowed this attack to occur and how “admin tiering” principles can be applied to, for example, Group Policy management. This is not news, but organizations, CISOs, IT Professionals still need to take the time to implement zero-trust and least privileged environments.
Conclusion
The Stryker attack is a stark reminder that the tools we use to manage our environments are the same tools hackers will use to destroy them. By adopting Zero Trust, enforcing Least Privilege, and utilizing SDM Software to maintain rigorous change control, organizations can ensure that the “keys to the kingdom” remain out of reach.