Skip to content

[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build#6354

Merged
terrancedejesus merged 6 commits into
mainfrom
new-rule/entra-id-tycoon-kali365-default-os-build
Jul 7, 2026
Merged

[New Rule] Entra ID Device Registration with Phishing Kit Default OS Build#6354
terrancedejesus merged 6 commits into
mainfrom
new-rule/entra-id-tycoon-kali365-default-os-build

Conversation

@terrancedejesus

@terrancedejesus terrancedejesus commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Pull Request

Issue link(s):

Summary - What I changed

Adds specific detections for Kali365 & Tycoon phishing kits related to default OS build that is used to register virtual devices prior to PRT request. Used in all instances from dynamic testing.

Screenshot 2026-06-29 at 2 49 37 PM Screenshot 2026-06-29 at 2 48 51 PM

How To Test

Query can be used in TRADE stack. No hits in other telemetry.

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@tradebot-elastic

tradebot-elastic commented Jun 29, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jun 29, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@github-actions

Copy link
Copy Markdown
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@terrancedejesus terrancedejesus changed the title [New Rule] Entra ID Device Registration with Phishing Kit Default OSBuild [New Rule] Entra ID Device Registration with Phishing Kit Default OS Build Jun 29, 2026
@tradebot-elastic

tradebot-elastic commented Jun 29, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Comment on lines +95 to +97
data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and
azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19045.2006* and
azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the azure.auditlogs.properties.target_resources..modified_properties..new_value position agnostic? Maybe a good idea to find an alternative using ESQL and match name to value.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Position is specific to event.action so these will always be 3 and 4.

@django-88 django-88 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cool, was nice to read through it!

Copilot AI review requested due to automatic review settings July 7, 2026 13:40
@tradebot-elastic

tradebot-elastic commented Jul 7, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds two new Microsoft Entra ID detections aimed at identifying device registrations consistent with AiTM phishing kit behavior (Tycoon2FA / Kali365), focusing on a “frozen” default OS build (10.0.19045.2006) combined with default DESKTOP- naming.

Changes:

  • Added an Azure Audit Logs rule to detect Add device events where CloudDeviceOSVersion and CloudDisplayName match the phishing-kit default fingerprint.
  • Added an Entity Analytics (device inventory) new-terms rule to alert on the first observed device matching the same fingerprint.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
rules/integrations/entityanalytics_entra_id/persistence_entra_id_device_phishing_kit_default_os_build.toml New-terms “first seen” detection in Entra ID Entity Analytics device inventory for the default OS build + DESKTOP-* naming pattern.
rules/integrations/azure/persistence_entra_id_phishing_kit_default_os_build_device_registration.toml Real-time (audit log) detection for device registration (Add device) events matching the same OS build + display name pattern.

@terrancedejesus terrancedejesus requested a review from bryans3c July 7, 2026 13:55
@tradebot-elastic

tradebot-elastic commented Jul 7, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic

tradebot-elastic commented Jul 7, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Entra ID Phishing Kit Default OS Build (Entity Analytics) (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Entra ID Device Registration with Phishing Kit Default OS Build (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@terrancedejesus terrancedejesus merged commit 678ff0a into main Jul 7, 2026
13 checks passed
@terrancedejesus terrancedejesus deleted the new-rule/entra-id-tycoon-kali365-default-os-build branch July 7, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants