
Summary
Identifies a suspicious Microsoft Entra ID (Azure AD) device registration event where the recorded cloud device OS version (CloudDeviceOSVersion) is exactly 10.0.19045.2006 and the device display name follows the default DESKTOP-* pattern. This combination is indicative of adversary-in-the-middle (AiTM) phishing kits (e.g., Tycoon2FA, Kali365) registering Azure AD-joined devices to capture a victim session and obtain a Primary Refresh Token (PRT) for persistence. In legitimate environments, Windows 10 22H2 devices typically report 10.0.19045.<revision> with non-default hostnames, so this specific 2006 build paired with a DESKTOP-* hostname is uncommon outside of kit-based provisioning. The detection looks for an Add device operation in Entra ID audit logs where the modified properties include CloudDeviceOSVersion = 10.0.19045.2006 and CloudDisplayName = DESKTOP-*. The matching event is generally initiated by the Device Registration Service and is a known persistence vector prior to token-based access or CA bypass. The rule maps to MITRE ATT&CK as Persistence via Account Manipulation, specifically Device Registration (T1098 / T1098.005). Investigation context fields highlight the relevant event details such as who initiated the registration, the target device display name, user agent strings, and correlation IDs to pivot through the full registration flow. Possible indicators include spoofed user agents (e.g., Dsreg/10.0... or python-requests/axios), unusual IP addresses or geolocations, and multiple devices registered in a short window. False positives include legitimate provisioning on unpatched or imaged hosts with the same OS build and authorized red-team engagements, which should be excluded via scoped exceptions. Remediation steps emphasize removing the device from Entra ID, revoking refresh tokens, tightening device join controls with Conditional Access, and auditing for additional persistence mechanisms or token minting across resources.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Application Log
- Cloud Service
ATT&CK Techniques
- T1098
- T1098.005
Created: 2026-06-29