
Summary
Detects the first observed Microsoft Entra ID (Azure AD) device in the Entra ID Entity Analytics device inventory that matches a frozen default fingerprint: host.name begins with DESKTOP- and host.os.version equals 10.0.19045.2006. This fingerprint has been associated with AI-driven phishing kits (e.g., Tycoon2FA, Kali365) that register Azure AD–joined devices to obtain a Primary Refresh Token (PRT) and establish persistence. The rule is implemented as a new_terms detector that fires on the first occurrence of a device matching this fingerprint within the last 6 hours, querying the entity analytics device data stream (entityanalytics_entra_id.device) for Microsoft Entra ID as the event provider, with host.name: DESKTOP-* and host.os.version: 10.0.19045.2006. This is designed to surface rogue devices typically observed during initial kit activity rather than real-time registrations. The detection emphasizes asset visibility and potential persistence vectors tied to device registration.
Categories
- Cloud
- Identity Management
Data Sources
- Cloud Service
- Active Directory
- Application Log
ATT&CK Techniques
- T1098
- T1098.005
Created: 2026-06-29