T1098.005 Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)

Similarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)

Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.CM-03.03 Privileged account monitoring Mitigates T1098.005 Device Registration
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
    PR.AA-05.02 Privileged system access Mitigates T1098.005 Device Registration
    Comments
    This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication.
    References
      PR.AA-02.01 Authentication of identity Mitigates T1098.005 Device Registration
      Comments
      This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
      References
        PR.PS-01.07 Cryptographic keys and certificates Mitigates T1098.005 Device Registration
        Comments
        This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to register devices.
        References
          PR.AA-03.01 Authentication requirements Mitigates T1098.005 Device Registration
          Comments
          This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1098.005 Device Registration
            Comments
            This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1098.005 Device Registration
              CM-05 Access Restrictions for Change mitigates T1098.005 Device Registration
              AC-20 Use of External Systems mitigates T1098.005 Device Registration
              AC-02 Account Management mitigates T1098.005 Device Registration
              AC-03 Access Enforcement mitigates T1098.005 Device Registration
              AC-05 Separation of Duties mitigates T1098.005 Device Registration
              AC-06 Least Privilege mitigates T1098.005 Device Registration

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1098.005 Device Registration
              Comments
              Google Security Operations is able to trigger an alert based on changes account device registrations.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              aws_config AWS Config technique_scores T1098.005 Device Registration
              Comments
              The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted device registration: "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and "root-account-mfa-enabled". All of these controls are run periodically and provide partial coverage, since adversaries may be able to register devices via other mechanisms, resulting in an overall score of Partial.
              References
                aws_identity_and_access_management AWS Identity and Access Management technique_scores T1098.005 Device Registration
                Comments
                The IAM MFA fields can provide data on device registration to help detect unexpected registrations.
                References