Entra ID Device Registration with ROADtools Default OS Build

Last updated 4 days ago on 2026-05-26

Created 4 days ago on 2026-05-26

About

Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is "10.0.19041.928" and the device display name follows the default "DESKTOP-" pattern. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and it is uncommon for the OS build to match the hardcoded value across an environment of otherwise patched hosts. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved provisioning tooling and device naming conventions before relying on it.

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Microsoft Entra IDData Source: Microsoft Entra ID Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples

Legitimate device registrations may coincidentally use the `10.0.19041.928` build (Windows 10 20H1) with a default `DESKTOP-` hostname, particularly on imaged or unmanaged Windows hosts that have not been updated. Validate against your device inventory, expected provisioning workflows, and the registering user before escalating. Authorized red team or penetration testing engagements that use ROADtools to register devices will match this rule. If this is expected, add exceptions for the specific user principal names, source IPs, or device names involved.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-azure.auditlogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:"azure.auditlogs" and event.action:"Add device" and
    azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value:*10.0.19041.928* and
    azure.auditlogs.properties.target_resources.0.modified_properties.4.new_value:*DESKTOP-*

Install detection rules in Elastic Security

Detect Entra ID Device Registration with ROADtools Default OS Build in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).