Detect Device Registration in Microsoft Sentinel
Adversaries may register a device to an adversary-controlled account to establish persistence or escalate privileges. Devices may be registered in an MFA system (Duo, Okta) to bypass multi-factor authentication requirements, or registered in a device management system (Entra ID, Intune) to access sensitive data while bypassing conditional access policies. APT29 has enrolled attacker-controlled devices into compromised Azure AD tenants. Tools like AADInternals can automate device registration to Entra ID. Adversaries may also exploit self-enrollment workflows that require only a username and password for dormant or first-device scenarios.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1098 Account Manipulation
- Sub-technique
- T1098.005 Device Registration
- Canonical reference
- https://attack.mitre.org/techniques/T1098/005/
KQL Detection Query
// T1098.005 - Device Registration Detection
// Detects suspicious device registrations in Entra ID / Azure AD
let SuspiciousDeviceRegistration = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (
"Add device",
"Register device",
"Add registered owner to device",
"Add registered users to device",
"Update device",
"Enroll device"
)
| where Result =~ "success"
| extend
InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName),
InitiatedByIP = tostring(InitiatedBy.user.ipAddress),
InitiatedByAppId = tostring(InitiatedBy.app.appId),
InitiatedByAppName = tostring(InitiatedBy.app.displayName),
DeviceDisplayName = tostring(TargetResources[0].displayName),
DeviceId = tostring(TargetResources[0].id),
ModifiedProps = TargetResources[0].modifiedProperties
| extend DeviceOS = tostring(parse_json(tostring(ModifiedProps))[0].newValue)
| project
TimeGenerated,
OperationName,
InitiatedByUPN,
InitiatedByIP,
InitiatedByAppId,
InitiatedByAppName,
DeviceDisplayName,
DeviceId,
Result,
Category,
CorrelationId;
let RecentSignins = SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| project
SigninTime = TimeGenerated,
SigninUPN = UserPrincipalName,
SigninIP = IPAddress,
SigninAppDisplayName = AppDisplayName,
SigninCountry = LocationDetails.countryOrRegion,
SigninRiskLevel = RiskLevelDuringSignIn,
SigninRiskState = RiskState,
IsInteractive;
SuspiciousDeviceRegistration
| join kind=leftouter (
RecentSignins
| where SigninRiskLevel in ("high", "medium") or SigninRiskState in ("atRisk", "confirmedCompromised")
) on $left.InitiatedByUPN == $right.SigninUPN
| union (
// Also catch bulk/rapid device registrations from same user or IP
SuspiciousDeviceRegistration
| summarize
DeviceCount = count(),
DeviceNames = make_set(DeviceDisplayName),
OperationNames = make_set(OperationName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by InitiatedByUPN, InitiatedByIP, bin(TimeGenerated, 1h)
| where DeviceCount >= 3
| extend AlertReason = strcat("Bulk device registration: ", tostring(DeviceCount), " devices in 1 hour")
)
| extend SuspiciousIndicators = dynamic([])
| extend SuspiciousIndicators = iff(isnotempty(SigninRiskLevel) and SigninRiskLevel in ("high","medium"), array_concat(SuspiciousIndicators, dynamic(["risky-signin"])), SuspiciousIndicators)
| extend SuspiciousIndicators = iff(isnotempty(InitiatedByAppId) and InitiatedByAppName !in ("Microsoft Intune", "Microsoft Azure Active Directory Connect", "Microsoft Intune Enrollment", "Azure Active Directory"), array_concat(SuspiciousIndicators, dynamic(["unexpected-app"])), SuspiciousIndicators)
| sort by TimeGenerated descDetects suspicious device registrations in Azure AD / Entra ID by querying AuditLogs for device registration operations. Correlates with SigninLogs to identify registrations preceded by risky sign-ins. Also detects bulk device registration (3 or more devices in one hour from the same user/IP) which may indicate an automated attack or Service Exhaustion Flood. Flags registrations performed by unexpected applications (not standard Microsoft enrollment apps).
Data Sources
Required Tables
False Positives & Tuning
- IT administrators bulk-enrolling corporate devices during device refresh cycles or new employee onboarding
- Automated device enrollment workflows via Microsoft Intune Autopilot or SCCM co-management
- Users registering personal devices under a BYOD policy, especially after password resets
- Microsoft Entra joined virtual machines provisioned by DevOps pipelines or cloud infrastructure teams
Other platforms for T1098.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Device to Entra ID using AADInternals PowerShell Module
Expected signal: Azure AD AuditLogs: OperationName='Add device' with actor UPN, source IP, and DeviceName='TestDevice-AtomicTest'. Result='success'. The initiating app will appear as an unexpected application ID (not standard Intune). SigninLogs will show token acquisition event from the same session.
- Test 2MFA Device Enrollment on Dormant Account Using Only Password
Expected signal: Azure AD AuditLogs: OperationName='User registered security info' or 'User started security info registration' and 'Update user' with modified properties showing phoneAuthenticationMethod added. SigninLogs: ROPC flow authentication (non-interactive) from the test IP. Identity Protection may flag the ROPC sign-in as risky.
- Test 3Bulk Device Registration to Entra ID via Graph API
Expected signal: Azure AD AuditLogs: 5 separate 'Add device' events within ~10 seconds from the same actor UPN and IP address. Each event will have Result='success' and DeviceName='AtomicTestDevice-Bulk-{1-5}'. The rapid succession of registrations will be visible in the timestamp sequence.
- Test 4Register Device to Entra ID Using Existing PRT (Primary Refresh Token) via dsregcmd
Expected signal: Azure AD AuditLogs: OperationName='Add device' or 'Register device' with DeviceName matching the machine's hostname. Initiated by the currently logged-on user. Windows Event Log (System): Event ID 4648 or Events from Microsoft-Windows-User Device Registration source. Certificate created in CERT:\LocalMachine\My for the device.
References (14)
- https://attack.mitre.org/techniques/T1098/005/
- https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft
- https://www.cisa.gov/uscert/ncas/alerts/aa22-074a
- https://o365blog.com/post/devices/
- https://o365blog.com/post/mdm
- https://o365blog.com/post/bprt/
- https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://learn.microsoft.com/en-us/entra/identity/devices/overview
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
- https://expel.com/blog/observing-atlas-lion-part-one/
- https://www.darkreading.com/threat-intelligence/fireeye-s-mandia-severity-zero-alert-led-to-discovery-of-solarwinds-attack
- https://github.com/dirkjanm/ROADtools
- https://learn.microsoft.com/en-us/graph/api/device-post-devices
Unlock Pro Content
Get the full detection package for T1098.005 including response playbook, investigation guide, and atomic red team tests.