Introducing new Vectra AI Platform coverage for Copilot and Microsoft Azure

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections
Lateral movement

Azure AD Suspicious Device Registration

Azure AD Suspicious Device Registration
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The “Azure AD Suspicious Device Registration” detection alerts security teams to the registration of a new device in Azure Active Directory under potentially suspicious circumstances. This detection can indicate attempts to maintain unauthorized persistence within an organization’s Azure AD environment by attackers who have already gained some level of account access.

Triggers

  • A new device has suspiciously been registered to an account which may provide an attacker with persistent access to your tenant.

Possible Root Causes

  • An attacker may have compromised an account and registered a new device in the environment to maintain continued persistence. By registering a new device in the tenant, the attacker’s ongoing access may be extended beyond the method of initial compromise.
  • A legitimate user might have registered a new personal or official work device under unexpected circumstances.

Business Impact

  • An attacker who controls tenant-registered devices could bypass policies related to login requirements and access, enabling persistent access to cloud and potentially network data.

Steps to Verify

  • Review whether the location of the registration and device type aligns with the user’s expected activity.
  • Consult the available logs to determine if the activity prior to the registration is as expected. • Reach out to the account owner to confirm that they registered the device.
Azure AD Suspicious Device Registration

Possible root causes

Malicious Detection

Attackers who gain access to an account may register their own device to maintain persistent access, effectively bypassing certain security policies, such as Multi-Factor Authentication (MFA). This allows the attacker to avoid re-entering compromised credentials while blending in with regular account activity.

Benign Detection

Legitimate users might also register new devices unexpectedly, such as when adding a new work device or personal phone. Such behavior is typically routine but may occasionally appear suspicious if the device registration circumstances are unusual.

Azure AD Suspicious Device Registration

Example scenarios

1. Suspicious Location Registration

An employee's account registers a new device from an international location unusual for the account owner’s normal operations. This activity might indicate unauthorized access by an attacker attempting to register a personal device for ongoing access.

2. Inconsistent Device Type

An account assigned to an office-based role registers a mobile device that appears unrelated to their work environment, potentially signaling a compromised account or unauthorized personal device access.

Azure AD Suspicious Device Registration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Persistent unauthorized access

Attackers with device-level access can exploit this foothold for ongoing data exfiltration and may evade certain policy-based restrictions on account access.

Increased compliance risks

Unmonitored devices accessing Azure AD pose compliance risks, potentially violating data protection requirements if unauthorized access occurs.

Increased risk to data and cloud resources

An attacker could leverage the registered device to access sensitive applications or resources, exposing business-critical data to unauthorized parties.

Azure AD Suspicious Device Registration

Steps to investigate

Confirm registration location and device type

Verify that the location and device type associated with the registration align with expected user activity.

Examine preceding activities

Review logs and authentication events before registration to identify any unusual behavior that may suggest a compromised account.

Contact the account owner

Directly confirm with the account holder whether they initiated the device registration.

Monitor for related suspicious activities

Continuously monitor the account and associated device for any further suspicious behaviors, such as abnormal login times or access to sensitive resources.

Azure AD Suspicious Device Registration

MITRE ATT&CK techniques covered

Account Manipulation

T1098
Azure AD Suspicious Device Registration

Related detections

Azure AD Suspicious Sign-on

Azure AD MFA-Failed Suspicious Sign-On

Azure AD MFA Disabled

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is considered suspicious in a device registration event?

A device registered from an unfamiliar location or with an unknown device type often raises flags.

What is the first step if this detection is triggered?

First, verify the registration details against expected user activity and contact the user if any inconsistencies are found.

How can I distinguish between an employee and attacker device registration?

Analyzing the device's registration context, such as location, timing, and prior activity, helps distinguish between legitimate and unauthorized registrations.

Is there a specific log to review for more details?

Azure AD audit logs are valuable for identifying the device registration’s origin, timing, and associated account.

How often should this detection be reviewed?

Ideally, review all suspicious device registrations immediately and periodically reassess devices in Azure AD for unauthorized persistence.

How can an attacker benefit from device registration in Azure AD?

It allows attackers to establish persistence, bypass login restrictions, and maintain access even if other security controls are applied.

Does this detection mean the account is compromised?

Not necessarily; legitimate users may sometimes trigger this detection. However, it’s important to investigate to rule out malicious activity.

Could this be triggered by a corporate device update?

Yes, if employees register new corporate devices, especially from offsite locations, this detection might be triggered.

Should I disable the device immediately?

Disabling the device without verification may disrupt legitimate user access; instead, start by confirming with the user and reviewing registration logs.

What are some other detections associated with account persistence?

Suspicious MFA registrations, trusted IP modifications, and unusual sign-ins are also indicative of account persistence efforts.