LoFP / unmanaged or imaged windows 10 20h1 hosts may legitimately report the `10.0.19041.928` build with a default \"desktop-\" host name. validate against your device inventory and patch baseline before escalating.

Techniques

• T1098

Sample rules

Entra ID Device with ROADtools Default OS Build (Entity Analytics)

• source: elastic
• technicques:
  • T1098

Description

Identifies the first occurrence of a Microsoft Entra ID device, surfaced through the Entra ID Entity Analytics device inventory, whose host name follows the default “DESKTOP-” pattern and whose operating system build is 10.0.19041.928. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and the OS build typically differs from the patched OS versions of legitimate hosts in the environment. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved device builds and naming conventions before relying on it.

Detection logic

data_stream.dataset:"entityanalytics_entra_id.device" and
    event.provider:"Microsoft Entra ID" and
    host.name:DESKTOP-* and host.os.version:"10.0.19041.928"