Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.[1][2] In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. [3]
Similarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.[4][5][6]
Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.[7] Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.[8]
| ID | Name | Description |
|---|---|---|
| S0677 | AADInternals |
AADInternals can register a device to Azure AD.[9] |
| G0016 | APT29 |
APT29 has enrolled their own devices into compromised cloud tenants, including enrolling a device in MFA to an Azure AD environment following a successful password guessing attack against a dormant account.[3][10] |
| C0027 | C0027 |
During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.[11] |
| C0024 | SolarWinds Compromise |
During the SolarWinds Compromise, APT29 registered devices in order to enable mailbox syncing via the |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication |
Require multi-factor authentication to register devices in Entra ID.[7] Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.[1] When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.[3] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Object Creation |
Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[13] Analytic 1 - Device registration events with suspicious user agents, unusual OS types, OS versions, or display names. Note: To detect the registration of potentially malicious devices using hijacked admin credentials or from unusual IP addresses.
|
| DS0015 | Application Log | Application Log Content |
Entra ID creates several log entries when new devices are enrolled, which can be monitored for unexpected device registrations.[8] Additionally, joined devices can be viewed via the Entra ID portal.[14] |
| DS0002 | User Account | User Account Modification |
Monitor user accounts for new and suspicious device associations, such as those originating from unusual sources, occurring at unusual times, or following a suspicious login.[6] |