title: Device Registration (T1098.005)
id: df00tech-t1098-005
status: experimental
description: "Adversaries may register a device to an adversary-controlled account to establish persistence or escalate privileges. Devices may be registered in an MFA system (Duo, Okta) to bypass multi-factor authentication requirements, or registered in a device management system (Entra ID, Intune) to access sensitive data while bypassing conditional access policies. APT29 has enrolled attacker-controlled devices into compromised Azure AD tenants. Tools like AADInternals can automate device registration to Entra ID. Adversaries may also exploit self-enrollment workflows that require only a username and password for dormant or first-device scenarios."
references:
  - https://attack.mitre.org/techniques/T1098/005/
  - https://df00tech.com/detections/T1098.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators bulk-enrolling corporate devices during device refresh cycles or new employee onboarding
  - Automated device enrollment workflows via Microsoft Intune Autopilot or SCCM co-management
  - "Users registering personal devices under a BYOD policy, especially after password resets"
  - Microsoft Entra joined virtual machines provisioned by DevOps pipelines or cloud infrastructure teams
level: high