EXPLORE
Sign In
← Back to Explore
T1098.005

Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance. MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA re...

WindowsIdentity Provider
15
Detections
3
Sources
1
Threat Actors

BY SOURCE

8elastic6splunk_escu1sigma

PROCEDURES (11)

Privilege3 detections

Auto-extracted: 3 detections for privilege

Cloud2 detections

Auto-extracted: 2 detections for cloud

Oauth2 detections

Auto-extracted: 2 detections for oauth

Unusual1 detections

Auto-extracted: 1 detections for unusual

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

THREAT ACTORS (1)

APT29

DETECTIONS (15)

AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
Azure AD New MFA Method Registered
splunk_escu
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Unusual Cloud Device Registration
elasticmedium
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
M365 Exchange MFA Notification Email Deleted or Moved
elasticlow
M365 Identity OAuth Flow by User Sign-in to Device Registration
elastichigh
O365 New MFA Method Registered
splunk_escu
Okta New Device Enrolled on Account
splunk_escu
PingID Mismatch Auth Source and Verification Response
splunk_escu
PingID New MFA Method After Credential Reset
splunk_escu
PingID New MFA Method Registered For User
splunk_escu
Windows LAPS Credential Dump From Entra ID
sigmahigh