Entra ID Device with ROADtools Default OS Build (Entity Analytics)

  1[metadata]
  2creation_date = "2026/05/26"
  3integration = ["entityanalytics_entra_id"]
  4maturity = "production"
  5updated_date = "2026/05/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first occurrence of a Microsoft Entra ID device, surfaced through the Entra ID Entity Analytics device
 11inventory, whose host name follows the default "DESKTOP-" pattern and whose operating system build is `10.0.19041.928`.
 12This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and the OS build
 13typically differs from the patched OS versions of legitimate hosts in the environment. Adversaries register rogue
 14devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic
 15access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline
 16approved device builds and naming conventions before relying on it.
 17"""
 18false_positives = [
 19    """
 20    Unmanaged or imaged Windows 10 20H1 hosts may legitimately report the `10.0.19041.928` build with a default
 21    "DESKTOP-" host name. Validate against your device inventory and patch baseline before escalating.
 22    """,
 23    """
 24    Authorized red team or penetration testing engagements that use ROADtools to register devices will appear in the
 25    device inventory and match this rule. If this is expected, add exceptions for the specific host names or device IDs.
 26    """,
 27]
 28from = "now-6h"
 29index = ["logs-entityanalytics_entra_id.device-*"]
 30interval = "1h"
 31language = "kuery"
 32license = "Elastic License v2"
 33name = "Entra ID Device with ROADtools Default OS Build (Entity Analytics)"
 34note = """## Triage and analysis
 35
 36### Investigating Entra ID Device with ROADtools Default OS Build (Entity Analytics)
 37
 38ROADtools (roadtx) registers a device in Entra ID with a default OS build of `10.0.19041.928` and a default name of
 39`DESKTOP-<8 random characters>`. This OS build is the current default value roadtx uses and differs from
 40the OS version of legitimate hosts, making the build a useful indicator of ROADtools device registration. This rule runs
 41against the Entra ID Entity Analytics device inventory and fires the first time a device matching this fingerprint
 42appears, so an alert generally represents a newly observed rogue device rather than a real-time registration event.
 43Rogue device registration is typically a precursor to Primary Refresh Token (PRT) acquisition, MFA/Conditional Access
 44bypass, and persistent token-based access.
 45
 46### Possible investigation steps
 47
 48- Confirm the device identity via `host.name`, `host.os.version`, `entityanalytics_entra_id.device.display_name`, and
 49`entityanalytics_entra_id.device.id` (or `device.id`). Default `DESKTOP-` names that do not match your naming convention
 50are suspicious.
 51- Review `entityanalytics_entra_id.device.registration_date_time` and `entityanalytics_entra_id.device.trust_type` to
 52establish when and how the device was registered (e.g., Azure AD registered vs. joined).
 53- Identify the registered owner via `entityanalytics_entra_id.device.registered_owners.user_principal_name` and determine
 54whether that user is expected to register a new device.
 55- Check `entityanalytics_entra_id.device.is_managed` and `entityanalytics_entra_id.device.is_compliant`; ROADtools
 56devices are typically unmanaged and non-compliant.
 57- Pivot to `logs-azure.auditlogs-*` for the corresponding `Add device` event (initiated by the `Device Registration
 58Service`) and to `logs-azure.signinlogs-*` for sign-ins by the device owner where the incoming token type is a
 59`primaryRefreshToken`.
 60- Correlate with the companion audit-log rule "Entra ID Device Registration with ROADtools Default OS Build"
 61for the same device name to confirm registration-time activity.
 62
 63### False positive analysis
 64
 65- Unmanaged or imaged Windows 10 20H1 hosts may legitimately report the `10.0.19041.928` build with a default
 66`DESKTOP-` host name. Validate against device inventory and patch baseline.
 67- Authorized security assessments using ROADtools will appear in inventory. Document the engagement and add scoped
 68exceptions.
 69
 70### Response and remediation
 71
 72- If confirmed malicious, remove the device from Entra ID and revoke the owner's refresh tokens and primary refresh
 73tokens.
 74- Disable the account or reset credentials per policy and review for additional persistence (added owners, app
 75registrations, or service principal credentials).
 76- Tighten device registration and join controls via Conditional Access (restrict who can register/join devices and
 77require MFA for registration).
 78"""
 79references = [
 80    "https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/",
 81    "https://github.com/dirkjanm/ROADtools",
 82    "https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/",
 83]
 84risk_score = 47
 85rule_id = "10b63b69-9f08-4767-b318-12208f97ad41"
 86severity = "medium"
 87tags = [
 88    "Domain: Cloud",
 89    "Domain: Identity",
 90    "Data Source: Microsoft Entra ID",
 91    "Data Source: Microsoft Entra ID Entity Analytics",
 92    "Use Case: Asset Visibility",
 93    "Use Case: Threat Detection",
 94    "Tactic: Persistence",
 95    "Resources: Investigation Guide",
 96]
 97timestamp_override = "event.ingested"
 98type = "new_terms"
 99
100query = '''
101data_stream.dataset:"entityanalytics_entra_id.device" and
102    event.provider:"Microsoft Entra ID" and
103    host.name:DESKTOP-* and host.os.version:"10.0.19041.928"
104'''
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1098"
111name = "Account Manipulation"
112reference = "https://attack.mitre.org/techniques/T1098/"
113[[rule.threat.technique.subtechnique]]
114id = "T1098.005"
115name = "Device Registration"
116reference = "https://attack.mitre.org/techniques/T1098/005/"
117
118
119
120[rule.threat.tactic]
121id = "TA0003"
122name = "Persistence"
123reference = "https://attack.mitre.org/tactics/TA0003/"
124
125[rule.investigation_fields]
126field_names = [
127    "@timestamp",
128    "host.name",
129    "host.id",
130    "host.os.version",
131    "event.provider",
132    "entityanalytics_entra_id.device.display_name",
133    "entityanalytics_entra_id.device.operating_system",
134    "entityanalytics_entra_id.device.operating_system_version",
135    "entityanalytics_entra_id.device.trust_type",
136    "entityanalytics_entra_id.device.profile_type",
137    "entityanalytics_entra_id.device.is_managed",
138    "entityanalytics_entra_id.device.is_compliant",
139    "entityanalytics_entra_id.device.registration_date_time",
140    "entityanalytics_entra_id.device.registered_owners.user_principal_name",
141    "entityanalytics_entra_id.device.id",
142    "device.id",
143]
144
145[rule.new_terms]
146field = "new_terms_fields"
147value = ["host.id"]
148[[rule.new_terms.history_window_start]]
149field = "history_window_start"
150value = "now-7d"