
Summary
Detects a canonical post-AiTM Entra ID identity-compromise chain by correlating three events for the same user within a short window: (1) a non-interactive sign-in via the Microsoft Authentication Broker (MAB) client to the Device Registration Service (DRS) with an unbound session token; (2) a successful "Register device" audit event for an Azure AD-joined device (e.g., DESKTOP-*) initiated by the same user; (3) an interactive sign-in using a primaryRefreshToken (PRT) to a resource other than DRS from an unmanaged device. This sequence indicates a threat actor captured a session, registered a device to obtain a device-bound PRT, and leveraged it for durable, MFA-free access. The rule maps to MITRE techniques for persistence and credential access, and leverages Azure AD sign-in and audit logs to provide high-fidelity detection beyond benign device onboarding or red-team activity. False positives are possible with legitimate Azure AD join or security assessments, which should be scoped and investigated. Recommended containment and hardening revolve around removing rogue devices, revoking tokens, and tightening device registration controls.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Application Log
- Cloud Service
ATT&CK Techniques
- T1078
- T1078.004
- T1098
- T1098.005
- T1550
- T1550.001
- T1528
Created: 2026-06-29