AN0104: Analytic 0104
Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.
Analyst context for executives and security teams
This analytic matters because device registration can turn stolen credentials into broader access: if an attacker can register a Windows device to Entra ID or use the Intune registration pipeline, conditional access decisions may treat the session as more trusted than it really is. For leaders, the issue is not only password compromise; it is whether identity, device trust, and endpoint enrollment controls can be abused together.
Executive priority
Prioritize validation of device registration governance, conditional access assumptions, and auditability around Entra ID and Intune enrollment. The key business question is whether the organization can prove who registered a Windows device, from where, under what policy, and whether that registration changed access to sensitive applications. This supports incident response readiness, identity security, compliance evidence, and resilience against credential-based access abuse.
Technical view
SOC, identity, cloud, and endpoint teams should validate monitoring around Windows device registration to Entra ID and Intune enrollment activity, especially where registration follows suspicious credential use or occurs from unexpected users, locations, devices, or timing. Because ATT&CK provides no official detection logic for this analytic, teams should derive local detection from identity audit logs, device enrollment records, conditional access evaluation data, and endpoint context. Detection should focus on unusual or unauthorized device-add events and whether those events correlate with successful access that depends on device trust.
Likely telemetry
- Entra ID audit logs for device registration or device add events
- Intune device enrollment and registration records
- Conditional access evaluation and sign-in logs
- User authentication logs, including successful sign-ins around enrollment time
- Windows endpoint inventory or management status for newly registered devices
Detection direction
- Confirm that device registration and Intune enrollment events are collected, retained, and searchable for Windows devices.
- Correlate new device registration with user sign-in context, conditional access outcomes, and subsequent access to protected resources.
- Baseline expected enrollment patterns by user population, geography, device ownership model, and help desk process to reduce false positives.
- Investigate registrations using accounts with unusual authentication patterns, newly compromised credentials, or access from unexpected locations.
- Validate whether conditional access policies distinguish between merely registered devices and devices that are compliant, managed, or otherwise trusted.
Mitigation priorities
- Review who is allowed to register devices and whether enrollment permissions align with business need.
- Harden conditional access so sensitive access does not rely on weak or easily obtained device registration state alone.
- Require strong authentication and appropriate enrollment controls for device registration workflows.
- Monitor and periodically audit newly registered Windows devices, stale devices, and devices without expected management posture.
- Document device registration evidence requirements for incident response and compliance reviews.
Analyst notes and limits
This take is based on the supplied ATT&CK analytic AN0104, which describes adversary registration of a Windows device to Entra ID or bypass of conditional access through the Intune registration pipeline using stolen credentials. The object has no supplied tactic, no official detection text, and no relationship context, so the defensive guidance is framed as validation direction rather than a confirmed ATT&CK detection pattern.
No relationships, procedure examples, mitigations, detections, or active exploitation claims were supplied. Local Entra ID, Intune, conditional access, and Windows management architecture will determine what telemetry exists and what constitutes suspicious registration behavior.
Analytic 0104
Adversary registers a Windows device to Entra ID or bypasses conditional access by adding device via Intune registration pipeline using stolen credentials.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ef020c395e7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0104Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.