Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.
MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)
Similarly, an adversary with existing access to a network may register a device to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)
Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Device Registration through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.AA-02.01 | Authentication of identity | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement provides protection from Account Manipulation through the implementation of privileged account management controls to limit credential access. Employing limitations to specific accounts, access control mechanisms, and auditing the attribution logs provides protection against adversaries attempting to modify accounts.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Account Manipulation through the use of revocation of keys and key management. Employing limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to register devices.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1098.005 | Device Registration |
Comments
This diagnostic statement protects against Device Registration through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1098.005 | Device Registration | |
| CM-05 | Access Restrictions for Change | mitigates | T1098.005 | Device Registration | |
| AC-20 | Use of External Systems | mitigates | T1098.005 | Device Registration | |
| AC-02 | Account Management | mitigates | T1098.005 | Device Registration | |
| AC-03 | Access Enforcement | mitigates | T1098.005 | Device Registration | |
| AC-05 | Separation of Duties | mitigates | T1098.005 | Device Registration | |
| AC-06 | Least Privilege | mitigates | T1098.005 | Device Registration |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1098.005 | Device Registration |
Comments
Google Security Operations is able to trigger an alert based on changes account device registrations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1098.005 | Device Registration |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure multi-factor authentication (MFA) is enabled properly, which can provide protection against attempted device registration: "iam-user-mfa-enabled", "mfa-enabled-for-iam-console-access", "root-account-hardware-mfa-enabled", and "root-account-mfa-enabled". All of these controls are run periodically and provide partial coverage, since adversaries may be able to register devices via other mechanisms, resulting in an overall score of Partial.
References
|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1098.005 | Device Registration |
Comments
The IAM MFA fields can provide data on device registration to help detect unexpected registrations.
References
|