Entra ID Device Registration with ROADtools Default OS Build

  1[metadata]
  2creation_date = "2026/05/26"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/05/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is
 11"10.0.19041.928" and the device display name follows the default "DESKTOP-" pattern. This combination is the default
 12device profile that ROADtools (roadtx) uses when registering a device, and it is uncommon for the OS build to match the
 13hardcoded value across an environment of otherwise patched hosts. Adversaries register rogue devices in Entra ID to
 14acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant.
 15Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved provisioning
 16tooling and device naming conventions before relying on it.
 17"""
 18false_positives = [
 19    """
 20    Legitimate device registrations may coincidentally use the `10.0.19041.928` build (Windows 10 20H1) with a default
 21    `DESKTOP-` hostname, particularly on imaged or unmanaged Windows hosts that have not been updated. Validate against
 22    your device inventory, expected provisioning workflows, and the registering user before escalating.
 23    """,
 24    """
 25    Authorized red team or penetration testing engagements that use ROADtools to register devices will match this rule.
 26    If this is expected, add exceptions for the specific user principal names, source IPs, or device names involved.
 27    """,
 28]
 29from = "now-9m"
 30index = ["logs-azure.auditlogs-*"]
 31language = "kuery"
 32license = "Elastic License v2"
 33name = "Entra ID Device Registration with ROADtools Default OS Build"
 34note = """## Triage and analysis
 35
 36### Investigating Entra ID Device Registration with ROADtools Default OS Build
 37
 38ROADtools (roadtx) registers a device in Entra ID with a default cloud device OS build of `10.0.19041.928` and a default
 39display name of `DESKTOP-<8 random characters>`. This OS build is the current default value roadtx uses and
 40differs from the OS version of legitimate hosts, making the build a useful indicator of ROADtools device registration.
 41Rogue device registration is typically a precursor to Primary Refresh Token (PRT) acquisition, MFA/Conditional Access
 42bypass, and persistent token-based access.
 43
 44The matching Entra ID audit event is an `Add device` operation initiated by the `Device Registration Service`, where the
 45modified properties record the registered device characteristics:
 46
 47- `azure.auditlogs.properties.target_resources.0.modified_properties.3` (`CloudDeviceOSVersion`) = `10.0.19041.928`
 48- `azure.auditlogs.properties.target_resources.0.modified_properties.4` (`CloudDisplayName`) = `DESKTOP-*`
 49
 50### Possible investigation steps
 51
 52- Confirm the registering identity via `azure.auditlogs.properties.initiated_by.user.userPrincipalName` and determine
 53whether that user is expected to register a new device.
 54- Review `azure.auditlogs.identity` to confirm the `Device Registration Service` initiated the request, and use
 55`azure.correlation_id` to pivot across the full registration flow (`Add device`, `Add registered users to device`,
 56`Add registered owner to device`).
 57- Inspect the device name in `azure.auditlogs.properties.target_resources.0.display_name`; default `DESKTOP-` names that
 58do not match your naming convention are suspicious.
 59- Pivot to `azure.signinlogs` for the same user and timeframe and look for follow-on sign-ins where the incoming token
 60type is a `primaryRefreshToken`, or for risky/AiTM sign-ins immediately preceding the registration.
 61- Review `azure.auditlogs.properties.initiated_by.user.ipAddress` and geolocation for the registration source. Flag
 62unexpected IPs, hosting/VPS ASNs, or impossible-travel relative to the user's normal activity.
 63- Correlate with the user-agent-based device registration rules (e.g., `Dsreg/*`, `DeviceRegistrationClient`,
 64`Microsoft.OData.Client/*`) for the same user or correlation ID to strengthen attribution to ROADtools.
 65
 66### False positive analysis
 67
 68- Unmanaged or imaged Windows 10 20H1 hosts may legitimately present the `10.0.19041.928` build with a default
 69`DESKTOP-` hostname. Validate against device inventory and known provisioning programs.
 70- Authorized security assessments using ROADtools will match. Document the engagement and add scoped exceptions.
 71
 72### Response and remediation
 73
 74- If confirmed malicious, remove the registered device from Entra ID and revoke the user's refresh tokens and primary
 75refresh tokens.
 76- Disable the account or reset credentials per policy and review for additional persistence (added owners, app
 77registrations, or service principal credentials).
 78- Conduct historical analysis using `azure.correlation_id` and the registering user to determine scope of access.
 79- Tighten device registration and join controls via Conditional Access (restrict who can register/join devices and
 80require MFA for registration).
 81"""
 82references = [
 83    "https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/",
 84    "https://github.com/dirkjanm/ROADtools",
 85    "https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/",
 86]
 87risk_score = 47
 88rule_id = "db1271cd-f574-4173-b4e5-7369f3c03d44"
 89severity = "medium"
 90tags = [
 91    "Domain: Cloud",
 92    "Domain: Identity",
 93    "Data Source: Azure",
 94    "Data Source: Microsoft Entra ID",
 95    "Data Source: Microsoft Entra ID Audit Logs",
 96    "Use Case: Identity and Access Audit",
 97    "Use Case: Threat Detection",
 98    "Tactic: Persistence",
 99    "Resources: Investigation Guide",
100]
101timestamp_override = "event.ingested"
102type = "query"
103
104query = '''
105data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and
106    azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19041.928* and
107    azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1098"
115name = "Account Manipulation"
116reference = "https://attack.mitre.org/techniques/T1098/"
117[[rule.threat.technique.subtechnique]]
118id = "T1098.005"
119name = "Device Registration"
120reference = "https://attack.mitre.org/techniques/T1098/005/"
121
122
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"
128
129[rule.investigation_fields]
130field_names = [
131    "@timestamp",
132    "event.action",
133    "event.outcome",
134    "azure.auditlogs.identity",
135    "azure.auditlogs.operation_name",
136    "azure.auditlogs.properties.target_resources.0.display_name",
137    "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value",
138    "azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value",
139    "azure.auditlogs.properties.initiated_by.user.userPrincipalName",
140    "azure.auditlogs.properties.initiated_by.user.ipAddress",
141    "azure.correlation_id",
142]