DET0036: Suspicious Device Registration via Entra ID or MFA Platform
Suspicious device registration in Entra ID or an MFA platform matters because a compromised account can become more durable if an attacker enrolls a device...
Analyst context for executives and security teams
Suspicious device registration in Entra ID or an MFA platform matters because a compromised account can become more durable if an attacker enrolls a device they control. The ATT&CK relationship maps this detection strategy to Device Registration, a persistence and privilege-escalation behavior involving MFA, identity provider, or device management enrollment workflows.
Executive priority
Treat this as an identity-control validation issue, not only a SOC alert. Leaders should ask whether the organization can prove who registered new authentication or managed devices, whether those events are reviewed quickly, and whether incident responders can revoke suspicious device registrations during account-compromise response. This is especially important for business continuity because MFA and device compliance are often relied on as compensating controls for remote access and privileged workflows.
Technical view
The supplied ATT&CK object has no official detection text or platform list, but its name and relationship to T1098.005 indicate the focus is device registration through Entra ID or MFA-related platforms. SOC and identity teams should validate visibility into device registration, MFA device enrollment, and device-management enrollment events, then correlate them with user sign-in context and account-risk context. Detection engineering should pay attention to new device registration following suspicious authentication, unusual user/device combinations, or enrollment activity inconsistent with normal user behavior, while recognizing that legitimate device replacement and onboarding can create noise.
Likely telemetry
- Entra ID audit and sign-in logs related to device registration or device join activity
- MFA platform enrollment and device association events
- Identity provider authentication logs for the affected user account
- Device management or compliance enrollment records where applicable
- User, device, and administrative change audit trails needed to confirm who initiated registration and when
Detection direction
- Confirm that device registration and MFA enrollment events are collected centrally and retained for investigation.
- Correlate new device registrations with recent authentication activity for the same account, especially where the relationship indicates persistence or privilege-escalation relevance.
- Tune for expected business processes such as device refresh, help desk enrollment, and new-hire onboarding to reduce false positives.
- Validate that analysts can distinguish a legitimate user-owned device from an unexpected or adversary-controlled device using available identity, device, and audit context.
- Use the T1098.005 relationship to prioritize this detection in account-compromise and MFA-bypass investigation playbooks.
Mitigation priorities
- Review identity and MFA enrollment policies to ensure device registration is controlled, auditable, and appropriate for account risk.
- Require strong administrative review or conditional controls for sensitive users and privileged accounts where device registration changes occur.
- Ensure incident response procedures include revoking suspicious registered devices and reviewing related MFA or device-management associations.
- Maintain audit evidence for device registration governance to support compliance and post-incident review.
- Periodically test whether SOC and IAM teams can detect, investigate, and remediate unauthorized device enrollment end to end.
Analyst notes and limits
This take is based on the detection strategy name, the MITRE external reference DET0036, and its relationship to T1098.005 Device Registration. The related technique is mapped to persistence and privilege escalation and includes Windows and Identity Provider platforms; the detection strategy object itself does not specify platforms, tactics, description, or detection logic.
ATT&CK did not provide an official description or detection section for this detection strategy in the supplied fields. Local identity architecture, MFA provider configuration, device-management tooling, logging retention, and business enrollment processes are required to determine concrete detection coverage and alert thresholds.
Suspicious Device Registration via Entra ID or MFA Platform
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098.005 | Device Registration Sub-technique | This object detects Device Registration. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1e773cb48eef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0036Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.