Skip to content

T1098.005 Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.15

Similarly, an adversary with existing access to a network may register a device to Azure AD and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.427

Devices registered in Azure AD may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.6 Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Azure AD tenant by registering a large number of devices.3

Item Value
ID T1098.005
Sub-techniques T1098.001, T1098.002, T1098.003, T1098.004, T1098.005
Tactics TA0003
Platforms Azure AD, SaaS, Windows
Version 1.0
Created 04 March 2022
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can register a device to Azure AD.8
G0016 APT29 APT29 registered devices in order to enable mailbox syncing via the Set-CASMailbox command.9


ID Mitigation Description
M1032 Multi-factor Authentication Require multi-factor authentication to register devices in Azure AD.6 Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.1


ID Data Source Data Component
DS0026 Active Directory Active Directory Object Creation
DS0015 Application Log Application Log Content
DS0002 User Account User Account Modification


Back to top