T1098.005 Google Chronicle · YARA-L

Detect Device Registration in Google Chronicle

Adversaries may register a device to an adversary-controlled account to establish persistence or escalate privileges. Devices may be registered in an MFA system (Duo, Okta) to bypass multi-factor authentication requirements, or registered in a device management system (Entra ID, Intune) to access sensitive data while bypassing conditional access policies. APT29 has enrolled attacker-controlled devices into compromised Azure AD tenants. Tools like AADInternals can automate device registration to Entra ID. Adversaries may also exploit self-enrollment workflows that require only a username and password for dormant or first-device scenarios.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Sub-technique
T1098.005 Device Registration
Canonical reference
https://attack.mitre.org/techniques/T1098/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
// Rule 1 — Single registration by unexpected application
rule t1098_005_device_registration_unexpected_app {
  meta:
    author        = "Argus Detection Engineering"
    description   = "Detects Azure AD / Entra ID device registration initiated by an application outside the known MDM allowlist — consistent with adversary-controlled enrollment via AADInternals or similar tooling (T1098.005)"
    mitre_tactic  = "Persistence, Privilege Escalation"
    mitre_technique = "T1098.005"
    severity      = "HIGH"
    priority      = "HIGH"
    reference     = "https://attack.mitre.org/techniques/T1098/005/"

  events:
    $e.metadata.vendor_name      = "Microsoft"
    $e.metadata.product_name     = "Azure Active Directory"
    $e.metadata.event_status     = "SUCCESS"
    (
      $e.metadata.product_event_type = "Add device" or
      $e.metadata.product_event_type = "Register device" or
      $e.metadata.product_event_type = "Add registered owner to device" or
      $e.metadata.product_event_type = "Add registered users to device" or
      $e.metadata.product_event_type = "Update device" or
      $e.metadata.product_event_type = "Enroll device"
    )
    not $e.principal.application = /(?i)microsoft intune|intune enrollment|azure active directory connect|microsoft authentication broker|^azure active directory$/
    $e.principal.user.email_addresses[0] != ""
    $user = $e.principal.user.email_addresses[0]

  condition:
    $e
}


// Rule 2 — Bulk device registration (3+ devices from same user within 1 hour)
rule t1098_005_bulk_device_registration {
  meta:
    author        = "Argus Detection Engineering"
    description   = "Detects bulk Entra ID device enrollment — 3 or more successful device registrations from the same user within 1 hour — consistent with AADInternals Register-AADIntJoinedDevice automation and APT29 lateral-movement tradecraft (T1098.005)"
    mitre_tactic  = "Persistence, Privilege Escalation"
    mitre_technique = "T1098.005"
    severity      = "HIGH"
    priority      = "HIGH"
    reference     = "https://attack.mitre.org/techniques/T1098/005/"

  events:
    $e.metadata.vendor_name  = "Microsoft"
    $e.metadata.product_name = "Azure Active Directory"
    $e.metadata.event_status = "SUCCESS"
    (
      $e.metadata.product_event_type = "Add device" or
      $e.metadata.product_event_type = "Register device" or
      $e.metadata.product_event_type = "Enroll device"
    )
    $e.principal.user.email_addresses[0] != ""
    $user = $e.principal.user.email_addresses[0]

  match:
    $user over 1h

  condition:
    #e >= 3
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules for T1098.005 device registration detection. Rule 1 fires on any single successful Entra ID device registration where the initiating application is outside the known MDM allowlist (Intune, Azure AD Connect, Authentication Broker), covering the AADInternals and custom-script attack vectors. Rule 2 uses the match/condition aggregation window to fire when the same user triggers 3 or more device registration events within a 1-hour window, covering bulk enrollment abuse consistent with APT29 tradecraft.

Data Sources

Google Chronicle UDM — Azure Active Directory audit log feed (native Chronicle Azure AD ingestion or forwarder-based ingestion)

Required Tables

UDM events with metadata.product_name = "Azure Active Directory"

False Positives & Tuning

  • IT provisioning teams performing mass device enrollment during a hardware refresh using tooling that does not match the Microsoft MDM application name allowlist
  • Azure AD B2B guest device registrations during cross-tenant collaboration scenarios where the initiating app identity differs from tenant-native Intune
  • First-time Azure AD hybrid join synchronisation where Azure AD Connect registers all domain-joined machines in a single scheduled sync pass
  • Third-party identity governance solutions (SailPoint, Saviynt) performing device lifecycle operations as part of a joiner/mover/leaver workflow
Download portable Sigma rule (.yml)

Other platforms for T1098.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register Device to Entra ID using AADInternals PowerShell Module

    Expected signal: Azure AD AuditLogs: OperationName='Add device' with actor UPN, source IP, and DeviceName='TestDevice-AtomicTest'. Result='success'. The initiating app will appear as an unexpected application ID (not standard Intune). SigninLogs will show token acquisition event from the same session.

  2. Test 2MFA Device Enrollment on Dormant Account Using Only Password

    Expected signal: Azure AD AuditLogs: OperationName='User registered security info' or 'User started security info registration' and 'Update user' with modified properties showing phoneAuthenticationMethod added. SigninLogs: ROPC flow authentication (non-interactive) from the test IP. Identity Protection may flag the ROPC sign-in as risky.

  3. Test 3Bulk Device Registration to Entra ID via Graph API

    Expected signal: Azure AD AuditLogs: 5 separate 'Add device' events within ~10 seconds from the same actor UPN and IP address. Each event will have Result='success' and DeviceName='AtomicTestDevice-Bulk-{1-5}'. The rapid succession of registrations will be visible in the timestamp sequence.

  4. Test 4Register Device to Entra ID Using Existing PRT (Primary Refresh Token) via dsregcmd

    Expected signal: Azure AD AuditLogs: OperationName='Add device' or 'Register device' with DeviceName matching the machine's hostname. Initiated by the currently logged-on user. Windows Event Log (System): Event ID 4648 or Events from Microsoft-Windows-User Device Registration source. Certificate created in CERT:\LocalMachine\My for the device.

Last updated: 2026-04-13 Research depth: deep
References (14)

Unlock Pro Content

Get the full detection package for T1098.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1098Account Manipulation

Related Sub-techniques

T1098.001Additional Cloud CredentialsT1098.002Additional Email Delegate PermissionsT1098.003Additional Cloud RolesT1098.004SSH Authorized KeysT1098.006Additional Container Cluster RolesT1098.007Additional Local or Domain Groups

Related Techniques

T1098Account ManipulationT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1078.004Cloud AccountsT1556.006Multi-Factor AuthenticationT1534Internal SpearphishingT1110.003Password SprayingT1621Multi-Factor Authentication Request GenerationT1499.002Service Exhaustion Flood

Same Tactic: Persistence

Popular Detections