LoFP / legitimate device registrations may coincidentally use the `10.0.19041.928` build (windows 10 20h1) with a default `desktop-` hostname, particularly on imaged or unmanaged windows hosts that have not been updated. validate against your device inventory, expected provisioning workflows, and the registering user before escalating.

Techniques

• T1098

Sample rules

Entra ID Device Registration with ROADtools Default OS Build

• source: elastic
• technicques:
  • T1098

Description

Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is “10.0.19041.928” and the device display name follows the default “DESKTOP-” pattern. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and it is uncommon for the OS build to match the hardcoded value across an environment of otherwise patched hosts. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved provisioning tooling and device naming conventions before relying on it.

Detection logic

data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and
    azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19041.928* and
    azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*