-
Notifications
You must be signed in to change notification settings - Fork 680
[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build #6354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
terrancedejesus
merged 6 commits into
main
from
new-rule/entra-id-tycoon-kali365-default-os-build
Jul 7, 2026
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
4e3c56f
[New Rule] Entra ID Device Registration with Phishing Kit Default OS …
terrancedejesus 163fe3b
updating references
terrancedejesus cd62e0f
updating new terms field
terrancedejesus 77e25f0
Merge branch 'main' into new-rule/entra-id-tycoon-kali365-default-os-…
terrancedejesus b6b3e6a
Merge branch 'main' into new-rule/entra-id-tycoon-kali365-default-os-…
terrancedejesus 6d9bddb
Merge branch 'main' into new-rule/entra-id-tycoon-kali365-default-os-…
terrancedejesus File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
133 changes: 133 additions & 0 deletions
133
...rations/azure/persistence_entra_id_phishing_kit_default_os_build_device_registration.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| [metadata] | ||
| creation_date = "2026/06/29" | ||
| integration = ["azure"] | ||
| maturity = "production" | ||
| updated_date = "2026/06/29" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is | ||
| "10.0.19045.2006" and the device display name follows the default "DESKTOP-" pattern. This is the frozen default device | ||
| profile observed when adversary-in-the-middle (AiTM) phishing kits such as Tycoon2FA and Kali365 register Azure | ||
| AD-joined devices after capturing a victim session, in order to acquire a Primary Refresh Token (PRT) and establish | ||
| persistence. The build is hardcoded by the tooling and it is uncommon for the OS build to match this exact value across | ||
| an environment of otherwise patched hosts, where a current Windows 10 22H2 device reports a far higher | ||
| "10.0.19045.<revision>" value. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Legitimate device registrations may coincidentally use the `10.0.19045.2006` build (Windows 10 22H2) with a default | ||
| `DESKTOP-` hostname, particularly on imaged or unmanaged Windows hosts that have not been updated. Validate against | ||
| your device inventory, expected provisioning workflows, and the registering user before escalating. | ||
| """, | ||
| """ | ||
| Authorized red team or penetration testing engagements that register devices with this OS profile will match this | ||
| rule. If this is expected, add exceptions for the specific user principal names, source IPs, or device names | ||
| involved. | ||
| """, | ||
| ] | ||
| from = "now-9m" | ||
| index = ["logs-azure.auditlogs-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Entra ID Device Registration with Phishing Kit Default OS Build" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating Entra ID Device Registration with Phishing Kit Default OS Build | ||
|
|
||
| AiTM phishing kits including Tycoon2FA and Kali365 register a device in Entra ID with a frozen default cloud device OS build of `10.0.19045.2006` and a default display name of `DESKTOP-<random characters>`. This build is hardcoded by the tooling and differs from the OS version of legitimate, patched hosts (a current Windows 10 22H2 device reports a much higher `10.0.19045.<revision>` value), making the build a useful indicator of kit-driven device registration. Rogue device registration is typically a precursor to Primary Refresh Token (PRT) acquisition, MFA/Conditional Access bypass, and persistent token-based access. | ||
|
|
||
| The matching Entra ID audit event is an `Add device` operation initiated by the `Device Registration Service`, where the modified properties record the registered device characteristics: | ||
|
|
||
| - `azure.auditlogs.properties.target_resources.0.modified_properties.3` (`CloudDeviceOSVersion`) = `10.0.19045.2006` | ||
| - `azure.auditlogs.properties.target_resources.0.modified_properties.4` (`CloudDisplayName`) = `DESKTOP-*` | ||
|
|
||
| ### Possible investigation steps | ||
|
|
||
| - Confirm the registering identity via `azure.auditlogs.properties.initiated_by.user.userPrincipalName` and determine whether that user is expected to register a new device. | ||
| - Review `azure.auditlogs.identity` to confirm the `Device Registration Service` initiated the request, and use `azure.correlation_id` to pivot across the full registration flow (`Add device`, `Add registered users to device`, `Add registered owner to device`). | ||
| - Inspect the device name in `azure.auditlogs.properties.target_resources.0.display_name`; kit-registered names are commonly `DESKTOP-` followed by 6 alphanumeric (Tycoon2FA) or 6 hexadecimal (Kali365) characters. | ||
| - Inspect the registration user agent on the paired `Register device` event (`azure.auditlogs.properties.userAgent`), which is frequently a spoofed `Dsreg/10.0 (Windows 10.0.19045.2006)` string or a raw HTTP client such as `axios/*` or `python-requests/*`. | ||
| - Check whether the same user registered multiple devices in a short window (a single piece of kit infrastructure registering several devices is common for PRT persistence at scale). | ||
| - Review `azure.auditlogs.properties.initiated_by.user.ipAddress` and geolocation for the registration source. Flag unexpected IPs, hosting/VPS ASNs (for example Tencent or Alibaba), or impossible-travel relative to the user's normal activity. | ||
| - Pivot to `azure.signinlogs` for the same user and timeframe and look for follow-on sign-ins where the incoming token type is a `primaryRefreshToken`, for AiTM sign-ins immediately preceding the registration, or for the broker subsequently minting tokens for other resources such as Microsoft Graph. | ||
|
|
||
| ### False positive analysis | ||
|
|
||
| - Unmanaged or never-patched Windows 10 22H2 hosts may legitimately present the `10.0.19045.2006` build with a default `DESKTOP-` hostname. Validate against device inventory and known provisioning programs. | ||
| - Authorized security assessments that register devices with this OS profile will match. Document the engagement and add scoped exceptions. | ||
|
|
||
| ### Response and remediation | ||
|
|
||
| - If confirmed malicious, remove the registered device from Entra ID and revoke the user's refresh tokens and primary refresh tokens. Remove the device BEFORE revoking sessions, because device-bound PRTs survive `revokeSignInSessions`. | ||
| - Disable the account or reset credentials per policy and review for additional persistence (attacker-registered MFA methods, added owners, app registrations, or service principal credentials). | ||
| - Conduct historical analysis using `azure.correlation_id` and the registering user to determine scope of access. | ||
| - Tighten device registration and join controls via Conditional Access (restrict who can register/join devices and require MFA for registration). | ||
| """ | ||
| references = [ | ||
| "https://any.run/malware-trends/tycoon/", | ||
| "https://www.huntress.com/blog/kali365-device-code-phishing-kit", | ||
| "https://any.run/malware-trends/kali365/", | ||
| "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/", | ||
| "https://www.ic3.gov/PSA/2026/PSA260521", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "82629eed-5516-446e-ad73-03b8c4f4d571" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: Identity", | ||
| "Data Source: Azure", | ||
| "Data Source: Microsoft Entra ID", | ||
| "Data Source: Microsoft Entra ID Audit Logs", | ||
| "Use Case: Identity and Access Audit", | ||
| "Use Case: Threat Detection", | ||
| "Threat: Tycoon2FA", | ||
| "Threat: Kali365", | ||
| "Tactic: Persistence", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "query" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and | ||
| azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19045.2006* and | ||
| azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-* | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1098.005" | ||
| name = "Device Registration" | ||
| reference = "https://attack.mitre.org/techniques/T1098/005/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [rule.investigation_fields] | ||
| field_names = [ | ||
| "@timestamp", | ||
| "event.action", | ||
| "event.outcome", | ||
| "azure.auditlogs.identity", | ||
| "azure.auditlogs.operation_name", | ||
| "azure.auditlogs.properties.target_resources.0.display_name", | ||
| "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value", | ||
| "azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value", | ||
| "azure.auditlogs.properties.initiated_by.user.userPrincipalName", | ||
| "azure.auditlogs.properties.initiated_by.user.ipAddress", | ||
| "azure.correlation_id", | ||
| ] | ||
|
|
||
139 changes: 139 additions & 0 deletions
139
...s/entityanalytics_entra_id/persistence_entra_id_device_phishing_kit_default_os_build.toml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| [metadata] | ||
| creation_date = "2026/06/29" | ||
| integration = ["entityanalytics_entra_id"] | ||
| maturity = "production" | ||
| updated_date = "2026/06/29" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the first occurrence of a Microsoft Entra ID device, surfaced through the Entra ID Entity Analytics device | ||
| inventory, whose host name follows the default "DESKTOP-" pattern and whose operating system build is "10.0.19045.2006". | ||
| This is the frozen default device profile observed when adversary-in-the-middle (AiTM) phishing kits such as Tycoon2FA | ||
| and Kali365 register Azure AD-joined devices after capturing a victim session, in order to acquire a Primary Refresh | ||
| Token (PRT) and establish persistence. The build is hardcoded by the tooling and differs from legitimate hosts: a | ||
| patched Windows 10 22H2 device reports a far higher "10.0.19045.<revision>" value, so a device frozen at ".2006" with a | ||
| default name is a high-fidelity, though evadable, indicator. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Unmanaged or never-patched Windows 10 22H2 hosts may legitimately report the `10.0.19045.2006` build with a default | ||
| "DESKTOP-" host name. Validate against your device inventory and patch baseline before escalating. | ||
| """, | ||
| """ | ||
| Authorized red team or penetration testing engagements that register devices with this OS profile will appear in the | ||
| device inventory and match this rule. If this is expected, add exceptions for the specific host names or device IDs. | ||
| """, | ||
| ] | ||
| from = "now-6h" | ||
| index = ["logs-entityanalytics_entra_id.device-*"] | ||
| interval = "1h" | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Entra ID Phishing Kit Default OS Build (Entity Analytics)" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating Entra ID Phishing Kit Default OS Build (Entity Analytics) | ||
|
|
||
| AiTM phishing kits including Tycoon2FA and Kali365 register a device in Entra ID with a frozen default operating system build of `10.0.19045.2006` and a default name of `DESKTOP-<random characters>`. This build is hardcoded by the tooling and differs from the OS version of legitimate, patched hosts (a current Windows 10 22H2 device reports a much higher `10.0.19045.<revision>` value), making the build a useful indicator of kit-driven device registration. This rule runs against the Entra ID Entity Analytics device inventory and fires the first time a device matching this fingerprint appears, so an alert generally represents a newly observed rogue device rather than a real-time registration event. Rogue device registration is typically a precursor to Primary Refresh Token (PRT) acquisition, MFA/Conditional Access bypass, and persistent token-based access. | ||
|
|
||
| ### Possible investigation steps | ||
|
|
||
| - Confirm the device identity via `host.name`, `host.os.version`, `entityanalytics_entra_id.device.display_name`, and `entityanalytics_entra_id.device.id` (or `device.id`). Default `DESKTOP-` names that do not match your naming convention are suspicious; kit-registered names are commonly `DESKTOP-` followed by 6 alphanumeric (Tycoon2FA) or 6 hexadecimal (Kali365) characters. | ||
| - Review `entityanalytics_entra_id.device.registration_date_time` and `entityanalytics_entra_id.device.trust_type` to establish when and how the device was registered; kit devices are typically `AzureAd` joined. | ||
| - Identify the registered owner via `entityanalytics_entra_id.device.registered_owners.user_principal_name` and determine whether that user is expected to register a new device. | ||
| - Check `entityanalytics_entra_id.device.is_managed` and `entityanalytics_entra_id.device.is_compliant`; kit-registered devices are typically unmanaged and non-compliant. | ||
| - Pivot to `logs-azure.auditlogs-*` for the corresponding `Add device` and `Register device` events (initiated by the `Device Registration Service` via the `Microsoft Authentication Broker`). Inspect the `Register device` user agent, which is frequently a spoofed `Dsreg/10.0 (Windows 10.0.19045.2006)` string or a raw HTTP client such as `axios/*` or `python-requests/*`. | ||
| - Check whether the same owner registered multiple devices in a short window (a single piece of kit infrastructure registering several devices is common for PRT persistence at scale) and whether the broker was subsequently used to mint tokens for other resources such as Microsoft Graph. | ||
| - Pivot to `logs-azure.signinlogs-*` for sign-ins by the device owner where the incoming token type is a `primaryRefreshToken`. | ||
|
|
||
| ### False positive analysis | ||
|
|
||
| - Unmanaged or never-patched Windows 10 22H2 hosts may legitimately report the `10.0.19045.2006` build with a default `DESKTOP-` host name. Validate against device inventory and patch baseline. | ||
| - Authorized security assessments that register devices with this OS profile will appear in inventory. Document the engagement and add scoped exceptions. | ||
|
|
||
| ### Response and remediation | ||
|
|
||
| - If confirmed malicious, remove the device from Entra ID and revoke the owner's refresh tokens and primary refresh tokens. Remove the device BEFORE revoking sessions, because device-bound PRTs survive `revokeSignInSessions`. | ||
| - Disable the account or reset credentials per policy and review for additional persistence (attacker-registered MFA methods, added owners, app registrations, or service principal credentials). | ||
| - Tighten device registration and join controls via Conditional Access (restrict who can register/join devices and require MFA for registration). | ||
| """ | ||
| references = [ | ||
| "https://any.run/malware-trends/tycoon/", | ||
| "https://www.huntress.com/blog/kali365-device-code-phishing-kit", | ||
| "https://any.run/malware-trends/kali365/", | ||
| "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/", | ||
| "https://www.ic3.gov/PSA/2026/PSA260521", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "47f1d35c-8ee2-43c9-9651-90f840a0630f" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Domain: Identity", | ||
| "Data Source: Microsoft Entra ID", | ||
| "Data Source: Microsoft Entra ID Entity Analytics", | ||
| "Use Case: Asset Visibility", | ||
| "Use Case: Threat Detection", | ||
| "Threat: Tycoon2FA", | ||
| "Threat: Kali365", | ||
| "Tactic: Persistence", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "new_terms" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset:"entityanalytics_entra_id.device" and | ||
| event.provider:"Microsoft Entra ID" and | ||
| host.name:DESKTOP-* and host.os.version:"10.0.19045.2006" and | ||
| host.id: * | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1098" | ||
| name = "Account Manipulation" | ||
| reference = "https://attack.mitre.org/techniques/T1098/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1098.005" | ||
| name = "Device Registration" | ||
| reference = "https://attack.mitre.org/techniques/T1098/005/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0003" | ||
| name = "Persistence" | ||
| reference = "https://attack.mitre.org/tactics/TA0003/" | ||
|
|
||
| [rule.investigation_fields] | ||
| field_names = [ | ||
| "@timestamp", | ||
| "host.name", | ||
| "host.id", | ||
| "host.os.version", | ||
| "event.provider", | ||
| "entityanalytics_entra_id.device.display_name", | ||
| "entityanalytics_entra_id.device.operating_system", | ||
| "entityanalytics_entra_id.device.operating_system_version", | ||
| "entityanalytics_entra_id.device.trust_type", | ||
| "entityanalytics_entra_id.device.profile_type", | ||
| "entityanalytics_entra_id.device.is_managed", | ||
| "entityanalytics_entra_id.device.is_compliant", | ||
| "entityanalytics_entra_id.device.registration_date_time", | ||
| "entityanalytics_entra_id.device.registered_owners.user_principal_name", | ||
| "entityanalytics_entra_id.device.id", | ||
| "device.id", | ||
| ] | ||
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = ["host.id"] | ||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-5d" | ||
|
|
||
|
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the azure.auditlogs.properties.target_resources..modified_properties..new_value position agnostic? Maybe a good idea to find an alternative using ESQL and match name to value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Position is specific to
event.actionso these will always be3and4.