Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1098.005: Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.[1][2] In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. [3]

Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.[4][5][6][7]

Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.[8] Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.[9]

EnterpriseT1098.005Sub-techniqueObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Device Registration matters because it can turn a stolen username and password into durable access. If an attacker can add their own MFA device or register a device/VM into Entra ID or device management, they may satisfy MFA or conditional access checks that executives assume are protecting the business.

Executive priority

Prioritize this as an identity and cloud control-assurance issue, not only an endpoint issue. Leaders should ask whether first-device MFA enrollment, inactive accounts, Entra ID device joins, and Intune/device-compliance registration are governed, logged, and reviewed. The business risk is persistent access through trusted identity workflows, with possible downstream abuse such as access to sensitive resources, internal phishing, or large-scale device registration pressure on an Entra ID tenant as described by ATT&CK.

Technical view

For SOC, identity, cloud, and IR teams, validate coverage for device registration events across MFA platforms and Entra ID/Intune. ATT&CK provides no official detection text, but the relationship context includes DET0036, Suspicious Device Registration via Entra ID or MFA Platform. Detection engineering should focus on new device enrollment after credential compromise indicators, first-device enrollment for inactive or dormant accounts, unusual device joins, compliance state changes, conditional access bypass-relevant events, and spikes in device registration volume. Treat this as a sub-technique of Account Manipulation under persistence and privilege escalation.

Likely telemetry

  • MFA enrollment and device association audit logs from platforms such as Duo or Okta where used
  • Entra ID device registration, device join, and audit logs
  • Microsoft Intune or device management enrollment and compliance records
  • Conditional access evaluation and sign-in logs tied to newly registered devices
  • Identity provider authentication logs for accounts registering new devices

Detection direction

  • Confirm that device registration events are collected centrally and retained long enough for incident response and audit evidence.
  • Alert on MFA device enrollment or first-device enrollment for inactive, dormant, privileged, or unusual accounts.
  • Correlate new device registration with recent risky sign-ins, unfamiliar locations, impossible travel, password resets, or other account manipulation activity where local telemetry supports it.
  • Review Entra ID and Intune events for newly joined devices or VMs that quickly access sensitive resources or satisfy conditional access requirements.
  • Look for abnormal registration volume that could indicate service-exhaustion behavior against an Entra ID tenant.

Mitigation priorities

  • Govern who can register devices and under what conditions, especially for MFA first-device enrollment and inactive accounts.
  • Require strong approval, reauthentication, or help desk validation paths for adding or replacing MFA devices.
  • Review Entra ID and device management policies that allow device join, registration, and compliance-based access.
  • Limit trusted access decisions that rely only on self-registered device state without additional assurance.
  • Establish routine review of registered devices, stale devices, and unexpected device ownership.
Analyst notes and limits

This object is T1098.005 Device Registration in enterprise ATT&CK v19.1. It applies to Windows and Identity Provider platforms and is categorized under persistence and privilege escalation. The official description specifically references MFA systems, Entra ID, Microsoft Intune, conditional access, internal spearphishing, and potential service exhaustion through mass device registration.

ATT&CK does not provide official detection or mitigation text for this object. The guidance above is derived from the official description, external references, and relationship context only. Actual risk, alert logic, and response priority depend on the organization’s identity provider, MFA configuration, device management design, account lifecycle process, and available logs.

Official MITRE ATT&CK definition

Device Registration

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.[1][2] In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. [3]

Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.[4][5][6][7]

Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.[8] Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.[9]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1098 Account Manipulation This object subtechnique of Account Manipulation.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Tool Enterprise

S0677: AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]

WindowsOffice SuiteIdentity Provider
Campaign Enterprise

C0024: SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]

Campaign Enterprise

C0027: C0027

C0027 was a financially-motivated campaign linked to Scattered Spider that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During C0027 Scattered Spider used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.[1]

Relationship explorer

All related ATT&CK context

uses · Group G0016: APT29 Enterprise uses · Tool S0677: AADInternals Enterprise mitigates · Mitigation M1032: Multi-factor Authentication Enterprise subtechnique of · Technique T1098: Account Manipulation Enterprise detects · Detection Strategy DET0036: Suspicious Device Registration via Entra ID or MFA Platform Enterprise uses · Campaign C0024: SolarWinds Compromise Enterprise uses · Campaign C0027: C0027 Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1032: Multi-factor Authentication

Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

- *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). - Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

- Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
107a89550d988ff9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle 107a89550d98…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CISA MFA PrintNightmare

    Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.

    Open source URL
  2. [2]
    DarkReading FireEye SolarWinds

    Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.

    Open source URL
  3. [3]
    Mandiant APT29 Microsoft 365 2022

    Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.

    Open source URL
  4. [4]
    AADInternals - Device Registration

    Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.

    Open source URL
  5. [5]
    AADInternals - Conditional Access Bypass

    Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.

    Open source URL
  6. [6]
    Microsoft DEV-0537

    Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.

    Open source URL
  7. [7]
    Expel Atlas Lion 2025

    Ben Nahorney and Jennifer Maynard. (2025, April 10). Observing Atlas Lion (part one): Why take control when you can enroll?. Retrieved May 22, 2025.

    Open source URL
  8. [8]
    Microsoft - Device Registration

    Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.

    Open source URL
  9. [9]
    AADInternals - BPRT

    Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.

    Open source URL
  10. [10]
    mitre-attack T1098.005
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use