Entra ID AiTM Phishing-Kit Chain Detected
Identifies a Microsoft Entra ID identity-compromise chain in which a single user, within a 10-minute window, authenticates to the Device Registration Service through the Microsoft Authentication Broker (MAB) client, registers a device, and then uses the resulting Primary Refresh Token (PRT) to access a resource other than the Device Registration Service. This sequence is the core post-adversary-in-the-middle (AiTM) persistence pattern used by phishing kits such as Tycoon2FA and Kali365: after capturing a victim session, the kit registers an Azure AD-joined device to obtain a device-bound PRT, which survives user-level session revocation and password resets and grants trusted, MFA-free access. Correlating the broker sign-in, the device-registration audit event, and the follow-on PRT sign-in for the same user within a short window is a high-fidelity indicator of active account takeover.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/29"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2026/06/29"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a Microsoft Entra ID identity-compromise chain in which a single user, within a 10-minute window,
11authenticates to the Device Registration Service through the Microsoft Authentication Broker (MAB) client, registers a
12device, and then uses the resulting Primary Refresh Token (PRT) to access a resource other than the Device Registration
13Service. This sequence is the core post-adversary-in-the-middle (AiTM) persistence pattern used by phishing kits such as
14Tycoon2FA and Kali365: after capturing a victim session, the kit registers an Azure AD-joined device to obtain a
15device-bound PRT, which survives user-level session revocation and password resets and grants trusted, MFA-free access.
16Correlating the broker sign-in, the device-registration audit event, and the follow-on PRT sign-in for the same user
17within a short window is a high-fidelity indicator of active account takeover.
18"""
19false_positives = [
20 """
21 Legitimate device onboarding (for example a user enrolling a new corporate device through Azure AD join) can produce
22 a broker authentication to the Device Registration Service followed by PRT issuance. Validate that the device,
23 source IP/ASN, and user agent are expected, and that the device is managed/compliant.
24 """,
25 """
26 Authorized red team or penetration testing engagements that register devices and exercise PRTs will match this
27 sequence. Document the engagement and add scoped exceptions for the involved principals or source addresses.
28 """,
29]
30from = "now-15m"
31index = ["logs-azure.signinlogs-*", "logs-azure.auditlogs-*"]
32language = "eql"
33license = "Elastic License v2"
34name = "Entra ID AiTM Phishing-Kit Chain Detected"
35note = """## Triage and analysis
36
37### Investigating Entra ID AiTM Phishing-Kit Chain Detected
38
39This rule correlates three events for the same user within a 10-minute window that together represent the canonical post-AiTM identity-compromise chain:
40
411. A non-interactive sign-in through the Microsoft Authentication Broker (MAB) client (`app_id` `29d9ed98-a469-4536-ade2-f981bc1d605e`) to the `Device Registration Service` resource, with an `unbound` session token (`token_protection_status_details.sign_in_session_status`).
422. A successful `Register device` audit event initiated by the same user for a target device named `DESKTOP-*`.
433. An interactive sign-in using a `primaryRefreshToken` (PRT) to a resource other than the Device Registration Service, from an unmanaged device.
44
45After an AiTM kit captures a victim session, it registers an Azure AD-joined device to obtain a device-bound PRT. Because the PRT is bound to the device rather than the user session, it survives `revokeSignInSessions` and password resets, providing durable, MFA-free access. Observing the broker-to-DRS auth, the registration, and the first PRT use in quick succession is strong evidence of active account takeover rather than benign onboarding.
46
47### Possible investigation steps
48
49- Identify the user via `azure.signinlogs.properties.user_principal_name` / `azure.signinlogs.properties.user_id` and the registered device via the `Register device` event (`azure.auditlogs.properties.target_resources.0.display_name`). Default `DESKTOP-<random>` names that do not match your convention are suspicious.
50- Review the source of each step: `source.ip`, `source.as.organization.name`, and `source.geo.*`. Hosting/VPS ASNs (for example Tencent or Alibaba) and unexpected geographies, or a single source driving all three steps, are high-fidelity suspicious.
51- Inspect the registration user agent on the `Register device` event (`azure.auditlogs.properties.userAgent`); a spoofed `Dsreg/10.0 (Windows <build>)` string or a raw HTTP client such as `axios/*` or `python-requests/*` indicates tooling.
52- Confirm the PRT step: `azure.signinlogs.properties.incoming_token_type` is `primaryRefreshToken`, the device `trust_type` is `Azure AD joined`, and `device_detail.is_managed` is false (unmanaged), and the `resource_display_name` is a real resource (Microsoft Graph, Office 365 Exchange Online, etc.) rather than the Device Registration Service.
53- Check for additional persistence established in the same window: an attacker-registered MFA method (`User registered security info`), multiple device registrations by the same user, or broker tokens minted for other resources.
54- Review Conditional Access outcomes to determine whether device compliance or MFA was bypassed.
55
56### False positive analysis
57
58- Legitimate Azure AD join / device onboarding can produce a broker-to-DRS auth followed by PRT issuance. Validate the device against inventory and confirm it is managed/compliant and registered from an expected source.
59- Authorized security assessments that register devices and exercise PRTs will match. Document and add scoped exceptions.
60
61### Response and remediation
62
63- Treat as likely account takeover. Remove the rogue device registration BEFORE revoking sessions, because device-bound PRTs survive `revokeSignInSessions` and a device left in place re-establishes access.
64 - `GET /v1.0/users/{id}/registeredDevices` and `/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}` for unrecognized devices.
65- Revoke refresh tokens and sessions, then reset credentials and re-register MFA.
66 - `POST /v1.0/users/{id}/revokeSignInSessions`.
67- Temporarily disable the account if activity must be halted during investigation.
68 - `PATCH /v1.0/users/{id}` with body `{"accountEnabled": false}`.
69- Remove other attacker persistence: attacker-registered MFA methods, malicious inbox/forwarding rules, and OAuth consents.
70- Tighten device registration and join controls via Conditional Access (restrict who can register/join devices, require MFA for registration, and require a compliant/managed device for resource access).
71"""
72references = [
73 "https://any.run/malware-trends/tycoon/",
74 "https://www.huntress.com/blog/kali365-device-code-phishing-kit",
75 "https://any.run/malware-trends/kali365/",
76 "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/",
77 "https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering"
78]
79risk_score = 73
80rule_id = "d2c02b2b-bd01-4d4a-a17a-8df8f357b015"
81severity = "high"
82tags = [
83 "Domain: Cloud",
84 "Domain: Identity",
85 "Data Source: Azure",
86 "Data Source: Microsoft Entra ID",
87 "Data Source: Microsoft Entra ID Sign-In Logs",
88 "Data Source: Microsoft Entra ID Audit Logs",
89 "Use Case: Identity and Access Audit",
90 "Use Case: Threat Detection",
91 "Tactic: Persistence",
92 "Tactic: Credential Access",
93 "Resources: Investigation Guide",
94]
95timestamp_override = "event.ingested"
96type = "eql"
97
98query = '''
99sequence with maxspan=3m
100 [authentication where
101 data_stream.dataset == "azure.signinlogs" and
102 azure.signinlogs.category == "NonInteractiveUserSignInLogs" and
103 azure.signinlogs.properties.app_id == "29d9ed98-a469-4536-ade2-f981bc1d605e" and
104 azure.signinlogs.properties.resource_display_name == "Device Registration Service" and
105 azure.signinlogs.properties.incoming_token_type == "refreshToken" and
106 azure.signinlogs.properties.token_protection_status_details.sign_in_session_status == "unbound" and
107 azure.signinlogs.properties.user_type == "Member" and
108 azure.signinlogs.result_signature == "SUCCESS"
109 ] by azure.signinlogs.properties.user_id
110 [any where
111 data_stream.dataset == "azure.auditlogs" and
112 azure.auditlogs.operation_name == "Register device" and
113 azure.auditlogs.properties.initiated_by.user.id != null and
114 azure.auditlogs.properties.target_resources.`0`.display_name like "DESKTOP-*" and
115 event.outcome == "success"
116 ] by azure.auditlogs.properties.initiated_by.user.id
117 [authentication where
118 data_stream.dataset == "azure.signinlogs" and
119 azure.signinlogs.properties.incoming_token_type == "primaryRefreshToken" and
120 azure.signinlogs.properties.original_transfer_method == "deviceCodeFlow" and
121 azure.signinlogs.properties.is_interactive == true and
122 azure.signinlogs.properties.resource_display_name != "Device Registration Service" and
123 azure.signinlogs.properties.device_detail.is_managed != true and
124 azure.signinlogs.result_signature == "SUCCESS"
125 ] by azure.signinlogs.properties.user_id
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1078"
133name = "Valid Accounts"
134reference = "https://attack.mitre.org/techniques/T1078/"
135[[rule.threat.technique.subtechnique]]
136id = "T1078.004"
137name = "Cloud Accounts"
138reference = "https://attack.mitre.org/techniques/T1078/004/"
139
140
141[[rule.threat.technique]]
142id = "T1098"
143name = "Account Manipulation"
144reference = "https://attack.mitre.org/techniques/T1098/"
145[[rule.threat.technique.subtechnique]]
146id = "T1098.005"
147name = "Device Registration"
148reference = "https://attack.mitre.org/techniques/T1098/005/"
149
150
151
152[rule.threat.tactic]
153id = "TA0003"
154name = "Persistence"
155reference = "https://attack.mitre.org/tactics/TA0003/"
156[[rule.threat]]
157framework = "MITRE ATT&CK"
158[[rule.threat.technique]]
159id = "T1550"
160name = "Use Alternate Authentication Material"
161reference = "https://attack.mitre.org/techniques/T1550/"
162[[rule.threat.technique.subtechnique]]
163id = "T1550.001"
164name = "Application Access Token"
165reference = "https://attack.mitre.org/techniques/T1550/001/"
166
167
168
169[rule.threat.tactic]
170id = "TA0005"
171name = "Defense Evasion"
172reference = "https://attack.mitre.org/tactics/TA0005/"
173[[rule.threat]]
174framework = "MITRE ATT&CK"
175[[rule.threat.technique]]
176id = "T1528"
177name = "Steal Application Access Token"
178reference = "https://attack.mitre.org/techniques/T1528/"
179
180
181[rule.threat.tactic]
182id = "TA0006"
183name = "Credential Access"
184reference = "https://attack.mitre.org/tactics/TA0006/"
185
186[rule.investigation_fields]
187field_names = [
188 "@timestamp",
189 "azure.signinlogs.properties.user_principal_name",
190 "azure.signinlogs.properties.user_id",
191 "azure.signinlogs.properties.app_id",
192 "azure.signinlogs.properties.resource_display_name",
193 "azure.signinlogs.properties.incoming_token_type",
194 "azure.signinlogs.properties.device_detail.trust_type",
195 "azure.signinlogs.properties.device_detail.is_managed",
196 "azure.auditlogs.operation_name",
197 "azure.auditlogs.properties.target_resources.0.display_name",
198 "source.ip",
199 "source.as.organization.name",
200 "source.geo.country_name",
201]
Triage and analysis
Investigating Entra ID AiTM Phishing-Kit Chain Detected
This rule correlates three events for the same user within a 10-minute window that together represent the canonical post-AiTM identity-compromise chain:
- A non-interactive sign-in through the Microsoft Authentication Broker (MAB) client (
app_id29d9ed98-a469-4536-ade2-f981bc1d605e) to theDevice Registration Serviceresource, with anunboundsession token (token_protection_status_details.sign_in_session_status). - A successful
Register deviceaudit event initiated by the same user for a target device namedDESKTOP-*. - An interactive sign-in using a
primaryRefreshToken(PRT) to a resource other than the Device Registration Service, from an unmanaged device.
After an AiTM kit captures a victim session, it registers an Azure AD-joined device to obtain a device-bound PRT. Because the PRT is bound to the device rather than the user session, it survives revokeSignInSessions and password resets, providing durable, MFA-free access. Observing the broker-to-DRS auth, the registration, and the first PRT use in quick succession is strong evidence of active account takeover rather than benign onboarding.
Possible investigation steps
- Identify the user via
azure.signinlogs.properties.user_principal_name/azure.signinlogs.properties.user_idand the registered device via theRegister deviceevent (azure.auditlogs.properties.target_resources.0.display_name). DefaultDESKTOP-<random>names that do not match your convention are suspicious. - Review the source of each step:
source.ip,source.as.organization.name, andsource.geo.*. Hosting/VPS ASNs (for example Tencent or Alibaba) and unexpected geographies, or a single source driving all three steps, are high-fidelity suspicious. - Inspect the registration user agent on the
Register deviceevent (azure.auditlogs.properties.userAgent); a spoofedDsreg/10.0 (Windows <build>)string or a raw HTTP client such asaxios/*orpython-requests/*indicates tooling. - Confirm the PRT step:
azure.signinlogs.properties.incoming_token_typeisprimaryRefreshToken, the devicetrust_typeisAzure AD joined, anddevice_detail.is_managedis false (unmanaged), and theresource_display_nameis a real resource (Microsoft Graph, Office 365 Exchange Online, etc.) rather than the Device Registration Service. - Check for additional persistence established in the same window: an attacker-registered MFA method (
User registered security info), multiple device registrations by the same user, or broker tokens minted for other resources. - Review Conditional Access outcomes to determine whether device compliance or MFA was bypassed.
False positive analysis
- Legitimate Azure AD join / device onboarding can produce a broker-to-DRS auth followed by PRT issuance. Validate the device against inventory and confirm it is managed/compliant and registered from an expected source.
- Authorized security assessments that register devices and exercise PRTs will match. Document and add scoped exceptions.
Response and remediation
- Treat as likely account takeover. Remove the rogue device registration BEFORE revoking sessions, because device-bound PRTs survive
revokeSignInSessionsand a device left in place re-establishes access.GET /v1.0/users/{id}/registeredDevicesand/ownedDevices, thenDELETE /v1.0/devices/{deviceObjectId}for unrecognized devices.
- Revoke refresh tokens and sessions, then reset credentials and re-register MFA.
POST /v1.0/users/{id}/revokeSignInSessions.
- Temporarily disable the account if activity must be halted during investigation.
PATCH /v1.0/users/{id}with body{"accountEnabled": false}.
- Remove other attacker persistence: attacker-registered MFA methods, malicious inbox/forwarding rules, and OAuth consents.
- Tighten device registration and join controls via Conditional Access (restrict who can register/join devices, require MFA for registration, and require a compliant/managed device for resource access).
References
Related rules
- Entra ID Multiple Device Registrations by a Single User
- Entra ID OAuth Application Redirect URI Modified
- Entra ID Device Registration with ROADtools Default OS Build
- Entra ID Kali365 Default User-Agent Detected
- Microsoft Entra ID Impossible Travel Sign-in