Entra ID Device Registration with Phishing Kit Default OS Build

Last updated 10 days ago on 2026-06-29
Created 10 days ago on 2026-06-29

About

Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is "10.0.19045.2006" and the device display name follows the default "DESKTOP-" pattern. This is the frozen default device profile observed when adversary-in-the-middle (AiTM) phishing kits such as Tycoon2FA and Kali365 register Azure AD-joined devices after capturing a victim session, in order to acquire a Primary Refresh Token (PRT) and establish persistence. The build is hardcoded by the tooling and it is uncommon for the OS build to match this exact value across an environment of otherwise patched hosts, where a current Windows 10 22H2 device reports a far higher "10.0.19045.<revision>" value.
Tags
Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionThreat: Tycoon2FAThreat: Kali365Tactic: PersistenceLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

False Positive Examples
Legitimate device registrations may coincidentally use the `10.0.19045.2006` build (Windows 10 22H2) with a default `DESKTOP-` hostname, particularly on imaged or unmanaged Windows hosts that have not been updated. Validate against your device inventory, expected provisioning workflows, and the registering user before escalating. Authorized red team or penetration testing engagements that register devices with this OS profile will match this rule. If this is expected, add exceptions for the specific user principal names, source IPs, or device names involved.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.auditlogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19045.2006* and azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*

Install detection rules in Elastic Security

Detect Entra ID Device Registration with Phishing Kit Default OS Build in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).