heroui logo

Entra ID Phishing Kit Default OS Build (Entity Analytics)

Elastic Detection Rules

View Source
Summary
Detects the first observed Microsoft Entra ID (Azure AD) device in the Entra ID Entity Analytics device inventory that matches a frozen default fingerprint: host.name begins with DESKTOP- and host.os.version equals 10.0.19045.2006. This fingerprint has been associated with AI-driven phishing kits (e.g., Tycoon2FA, Kali365) that register Azure AD–joined devices to obtain a Primary Refresh Token (PRT) and establish persistence. The rule is implemented as a new_terms detector that fires on the first occurrence of a device matching this fingerprint within the last 6 hours, querying the entity analytics device data stream (entityanalytics_entra_id.device) for Microsoft Entra ID as the event provider, with host.name: DESKTOP-* and host.os.version: 10.0.19045.2006. This is designed to surface rogue devices typically observed during initial kit activity rather than real-time registrations. The detection emphasizes asset visibility and potential persistence vectors tied to device registration.
Categories
  • Cloud
  • Identity Management
Data Sources
  • Cloud Service
  • Active Directory
  • Application Log
ATT&CK Techniques
  • T1098
  • T1098.005
Created: 2026-06-29