[New Rule] Microsoft Entra ID Suspicious Cloud Device Registration (#4802)

* new rule Microsoft Entra ID Suspicious Cloud Device Registration * adjusted backticks in non-ecs and rule * linted * adjusted uuid; bumped patch version
2025-07-02 10:03:08 -04:00
parent cdb346cb77
commit 016cdf2cbb
3 changed files with 124 additions and 1 deletions
@@ -196,6 +196,13 @@
    "azure.graphactivitylogs.properties.c_idtyp": "keyword",
    "azure.graphactivitylogs.properties.user_principal_object_id": "keyword",
    "azure.graphactivitylogs.properties.requestUri": "keyword"
+  },
+  "logs-azure.auditlogs-*": {
+    "azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name": "keyword",
+    "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value": "keyword",
+    "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value": "keyword",
+    "azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value": "keyword",
+    "azure.auditlogs.properties.additional_details.value": "keyword"
  },
   "logs-o365.audit-*": {
     "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.1"
+version = "1.3.2"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -0,0 +1,116 @@
+[metadata]
+creation_date = "2025/06/13"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/06/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects a sequence of events in Microsoft Entra ID indicative of a suspicious cloud-based device registration,
+potentially using ROADtools. This behavior involves adding a device via the Device Registration Service, followed by the
+assignment of registered users and owners — a pattern consistent with techniques used to establish persistence or
+acquire a Primary Refresh Token (PRT). ROADtools, a popular red team toolkit, often leaves distinct telemetry signatures
+such as the `Microsoft.OData.Client` user agent and specific OS version values. These sequences are uncommon in typical
+user behavior and may reflect abuse of device trust for session hijacking or silent token replay.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.auditlogs-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Microsoft Entra ID Suspicious Cloud Device Registration"
+note = """## Triage and analysis
+
+### Investigating Microsoft Entra ID Suspicious Cloud Device Registration
+
+This rule detects a sequence of Microsoft Entra ID audit events consistent with cloud device registration abuse via ROADtools or similar automation. The activity includes three correlated events:
+
+1. Add device operation from the Device Registration Service using a `Microsoft.OData.Client/*` user-agent and a known Windows OS version.
+2. Addition of a registered user with an `enterprise registration` URN.
+3. Assignment of a registered owner to the device.
+
+This pattern has been observed in OAuth phishing and PRT abuse campaigns where adversaries silently register a cloud device to obtain persistent, trusted access.
+
+### Possible investigation steps
+
+- Identify the user principal associated with the device registration.
+- Review the `azure.auditlogs.identity` field to confirm the Device Registration Service initiated the request.
+- Check for the presence of the `Microsoft.OData.Client/*` user-agent in `azure.auditlogs.properties.additional_details.value`, as this is common in ROADtools usage.
+- Confirm the OS version seen in the modified properties is expected (e.g., `10.0.19041.928`), or investigate unexpected versions.
+- Examine the URN in the new value field (`urn:ms-drs:enterpriseregistration.windows.net`) to verify it's not being misused.
+- Use `azure.correlation_id` to pivot across all three steps of the registration flow.
+- Pivot to `azure.signinlogs` to detect follow-on activity using the new device, such as sign-ins involving refresh or primary refresh tokens.
+- Look for signs of persistence or lateral movement enabled by the newly registered device.
+- Identify the registered device name by reviewing `azure.auditlogs.properties.target_resources.0.display_name` and confirm it's expected for the user or organization.
+- Use the correlation ID `azure.correlation_id` to pivot into registered user events from Entra ID audit logs and check `azure.auditlogs.properties.target_resources.0.user_principal_name` to identify the user associated with the device registration.
+- Review any activity for this user from Entra ID sign-in logs, where the incoming token type is a `primaryRefreshToken`.
+
+### False positive analysis
+
+- Some MDM or autopilot provisioning flows may generate similar sequences. Validate against known provisioning tools, expected rollout windows, and device inventory.
+- Investigate whether the device name, OS version, and registration details align with normal IT workflows.
+
+### Response and remediation
+
+- If confirmed malicious, remove the registered device from Entra ID.
+- Revoke refresh tokens and primary refresh tokens associated with the user and device.
+- Disable the user account and initiate password reset and identity verification procedures.
+- Review audit logs and sign-in activity for additional indicators of persistence or access from the rogue device.
+- Tighten conditional access policies to restrict device registration and enforce compliance or hybrid join requirements.
+"""
+references = [
+    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
+    "https://github.com/dirkjanm/ROADtools",
+]
+risk_score = 47
+rule_id = "90efea04-5675-11f0-8f80-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+sequence by azure.correlation_id with maxspan=1m
+[any where event.dataset == "azure.auditlogs" and
+    azure.auditlogs.identity == "Device Registration Service" and
+    azure.auditlogs.operation_name == "Add device" and
+    azure.auditlogs.properties.additional_details.value like "Microsoft.OData.Client/*" and (
+        `azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name` == "CloudAccountEnabled" and
+        `azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value` == "[true]"
+    ) and
+    `azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value` like "*10.0.19041.928*"]
+[any where event.dataset == "azure.auditlogs" and
+    azure.auditlogs.operation_name == "Add registered users to device" and
+    `azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value` like "*urn:ms-drs:enterpriseregistration.windows.net*"]
+[any where event.dataset == "azure.auditlogs" and
+    azure.auditlogs.operation_name == "Add registered owner to device"]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.005"
+name = "Device Registration"
+reference = "https://attack.mitre.org/techniques/T1098/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+