Adversary registers new devices to compromised user accounts to bypass MFA or conditional access policies via Azure Entra ID, Okta, or Duo self-enrollment portals.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | azure:audit | Operation IN ("Add device", "Add registered users to device", "Add registered owner to device") |
| Application Log Content (DC0038) | ApplicationLog:EntraIDPortal | DeviceRegistration events |
| Active Directory Object Creation (DC0087) | azure:audit | New device object creation |
| Field | Description |
|---|---|
| ActorUserPrincipalName | Define expected admin users to exclude known enrollment behavior |
| IP Address | Scope internal vs. external device enrollment sources |
| TimeWindow | Adjust for expected hours of legitimate self-enrollment |
Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Creation (DC0087) | WinEventLog:Security | Device Object Creation |
| Application Log Content (DC0038) | ApplicationLog:Intune/MDM Logs | Enrollment events (e.g., MDMDeviceRegistration) |
| Field | Description |
|---|---|
| DeviceNamePattern | Adjust pattern matching logic for unusual or non-corporate device names |
| UserContext | Correlate with prior logon location or device usage behavior |
| EnrollmentMethod | Distinguish between MDM vs manual onboarding vs automated scripts |