LoFP / authorized red team or penetration testing engagements that use roadtools to register devices will match this rule. if this is expected, add exceptions for the specific user principal names, source ips, or device names involved.

• T1098

Sample rules

Entra ID Device Registration with ROADtools Default OS Build

• source: elastic
• technicques:
  • T1098

Description

Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is “10.0.19041.928” and the device display name follows the default “DESKTOP-” pattern. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and it is uncommon for the OS build to match the hardcoded value across an environment of otherwise patched hosts. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved provisioning tooling and device naming conventions before relying on it.

Detection logic

data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and
    azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19041.928* and
    azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*

Entra ID Device with ROADtools Default OS Build (Entity Analytics)

• source: elastic
• technicques:
  • T1098

Description

Identifies the first occurrence of a Microsoft Entra ID device, surfaced through the Entra ID Entity Analytics device inventory, whose host name follows the default “DESKTOP-” pattern and whose operating system build is 10.0.19041.928. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and the OS build typically differs from the patched OS versions of legitimate hosts in the environment. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved device builds and naming conventions before relying on it.

Detection logic

data_stream.dataset:"entityanalytics_entra_id.device" and
    event.provider:"Microsoft Entra ID" and
    host.name:DESKTOP-* and host.os.version:"10.0.19041.928"