Account Manipulation: Device Registration `T1098.005`

Tactics: Persistence, Privilege Escalation

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

Authoring guide

Patterns shared across the 22 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (65 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`data_stream.dataset`	14	`eq` 14	`azure.auditlogs`, `azure.signinlogs`, `google_workspace.device`, `o365.audit`, `aws.cloudtrail`
`EventType`	10	`eq` 8, `in` 2	`DEVICE_REGISTER_UNREGISTER_EVENT`, `Register device`, `Add device`, `Add registered users to device.`, `CreateVirtualMFADevice`
`"result.message"`	3	`contains` 1, `in` 1, `starts_with` 1	`device paired`, `Action: Allowed`, `Action: Approve`, `Action: Authenticate`
`Provider_Name`	3	`eq` 3	`Exchange`, `Microsoft Entra ID`, `iam.amazonaws.com`
`azure_ad::user_type`	3	`eq` 3	`Member`
`event.outcome`	3	`eq` 2, `in` 1	`success`, `Success`
`gws::device_account_state`	3	`eq` 3	`REGISTERED`
`azure.auditlogs.properties.additional_details.value`	2	`eq` 2, `starts_with` 1	`Azure AD join`, `DeviceRegistrationClient`, `Dsreg/`, `Microsoft.OData.Client/`
`azure.signinlogs.properties.incoming_token_type`	2	`eq` 2	`refreshToken`, `primaryRefreshToken`
`azure.signinlogs.properties.token_protection_status_details.sign_in_session_status`	2	`eq` 2	`unbound`
`azure_ad::app_id`	2	`eq` 2	`29d9ed98-a469-4536-ade2-f981bc1d605e`
`azure_ad::resource_display_name`	2	`eq` 1, `ne` 1	`Device Registration Service`
`azure_ad::signin_category`	2	`eq` 2	`NonInteractiveUserSignInLogs`
`propertyName`	2	`eq` 1, `in` 1	`StrongAuthenticationMethod`, `StrongAuthenticationPhoneAppDetail`
`source.as.number`	2	`in` 2	`132203`, `136787`, `14061`, `204957`, `215540`

Top indicator values (171 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`data_stream.dataset`	`eq`	`azure.auditlogs` elasticEntra ID Device Registration with ROADtools Default OS Build elasticEntra ID Protection User Alert and Device Registration elasticEntra ID Register Device with Unusual User Agent (Azure AD Join) elasticEntra ID Unusual Cloud Device Registration	4	20
`data_stream.dataset`	`eq`	`azure.signinlogs` elasticEntra ID ADRS Token Request by Microsoft Authentication Broker elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected elasticEntra ID User Sign-in with Unusual Non-Managed Device	4	30
`data_stream.dataset`	`eq`	`google_workspace.device` elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN elasticGoogle Workspace User Sign-in from Atypical Device Type	2	2
`data_stream.dataset`	`eq`	`o365.audit` elasticM365 Exchange MFA Notification Email Deleted or Moved elasticM365 Identity OAuth Flow by User Sign-in to Device Registration	2	45
`azure_ad::user_type`	`eq`	`Member` elasticEntra ID ADRS Token Request by Microsoft Authentication Broker elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected elasticEntra ID User Sign-in with Unusual Non-Managed Device	3	10
`gws::device_account_state`	`eq`	`REGISTERED` elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN elasticGoogle Workspace Device Registration Burst for Single User elasticGoogle Workspace User Sign-in from Atypical Device Type	3	3
`EventType`	`eq`	`DEVICE_REGISTER_UNREGISTER_EVENT` elasticGoogle Workspace Device Registration Burst for Single User elasticGoogle Workspace User Sign-in from Atypical Device Type	2	2
`EventType`	`eq`	`Register device` elasticEntra ID Protection User Alert and Device Registration elasticEntra ID Register Device with Unusual User Agent (Azure AD Join)	2	2
`azure.signinlogs.properties.incoming_token_type`	`eq`	`refreshToken` elasticEntra ID ADRS Token Request by Microsoft Authentication Broker elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected	2	2
`azure.signinlogs.properties.token_protection_status_details.sign_in_session_status`	`eq`	`unbound` elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected elasticEntra ID User Sign-in with Unusual Non-Managed Device	2	3
`azure_ad::app_id`	`eq`	`29d9ed98-a469-4536-ade2-f981bc1d605e` elasticEntra ID ADRS Token Request by Microsoft Authentication Broker elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected	2	7
`azure_ad::signin_category`	`eq`	`NonInteractiveUserSignInLogs` elasticEntra ID ADRS Token Request by Microsoft Authentication Broker elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected	2	2
`event.outcome`	`eq`	`success` elasticAWS IAM Virtual MFA Device Registration Attempt with Session Token elasticM365 Exchange MFA Notification Email Deleted or Moved	2	251
`source.as.number`	`in`	`204957` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`215540` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`29802` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`395092` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`45102` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`62240` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	2
`source.as.number`	`in`	`9009` elasticEntra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN elasticGoogle Workspace Device Registration After OAuth from Suspicious ASN	2	3
`"resources{}.ipaddress"`	`eq`	`*` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`contains`	`device paired` splunkPingID New MFA Method After Credential Reset	1
`"result.message"`	`in`	`Action: Allowed` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`in`	`Action: Approve` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`in`	`Action: Authenticate` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`starts_with`	`device paired` splunkPingID New MFA Method Registered For User	1
`"result.status"`	`eq`	`POLICY` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.status"`	`in`	`FAIL*` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.status"`	`in`	`SUCCESS*` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.status"`	`in`	`UNSUCCESSFUL*` splunkPingID Mismatch Auth Source and Verification Response	1

Exclusions (14 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`"result.message"`	`in`	`create` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`in`	`delete` splunkPingID Mismatch Auth Source and Verification Response	1
`"result.message"`	`in`	`pair` splunkPingID Mismatch Auth Source and Verification Response	1
`aws::userAgent`	`eq`	`Windows-AzureAD-Authentication-Provider/1.0` elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected	1
`azure.auditlogs.properties.userAgent`	`eq`	`DeviceRegistrationClient` elasticEntra ID Register Device with Unusual User Agent (Azure AD Join)	1
`azure.auditlogs.properties.userAgent`	`starts_with`	`Dalvik` elasticEntra ID Register Device with Unusual User Agent (Azure AD Join)	1
`azure.auditlogs.properties.userAgent`	`starts_with`	`Dsreg` elasticEntra ID Register Device with Unusual User Agent (Azure AD Join)	1
`azure.signinlogs.properties.device_detail.is_managed`	`eq`	`true` elasticEntra ID User Sign-in with Unusual Non-Managed Device	1
`azure_ad::app_display_name`	`eq`	`Windows Sign In` elasticEntra ID OAuth PRT Issuance to Non-Managed Device Detected	1
`o365.audit.AffectedItems.Subject`	`contains`	`log in` elasticM365 Exchange MFA Notification Email Deleted or Moved	1
`o365.audit.AffectedItems.Subject`	`contains`	`log-in` elasticM365 Exchange MFA Notification Email Deleted or Moved	1
`o365.audit.AffectedItems.Subject`	`contains`	`logon` elasticM365 Exchange MFA Notification Email Deleted or Moved	1
`o365.audit.AffectedItems.Subject`	`contains`	`sign in` elasticM365 Exchange MFA Notification Email Deleted or Moved	1
`o365.audit.AffectedItems.Subject`	`contains`	`sign-in` elasticM365 Exchange MFA Notification Email Deleted or Moved	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Account Manipulation: Device Registration `T1098.005`

Authoring guide

Fields filtered most (65 distinct)

Top indicator values (171 distinct)

Exclusions (14 distinct)

Rules under this technique

Sigma 1 rule

Elastic 15 rules

Splunk 6 rules

Keyboard shortcuts

Search operators

Account Manipulation: Device Registration T1098.005

Authoring guide

Fields filtered most (65 distinct)

Top indicator values (171 distinct)

Exclusions (14 distinct)

Rules under this technique

Sigma 1 rule

Elastic 15 rules

Splunk 6 rules

Account Manipulation: Device Registration `T1098.005`