| CISA

Device Registration (T1098.005)

In Playbook

Technique & Subtechniques

Associated Tactics

Persistence
Privilege Escalation

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description	Source(s)
Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. Retrieved March 16, 2022.	CISA MFA PrintNightmare
Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.	Mandiant APT29 Microsoft 365 2022
Dr. Nestori Syynimaa. (2020, September 6). Bypassing conditional access by faking device compliance. Retrieved March 4, 2022.	AADInternals - Conditional Access Bypass
Dr. Nestori Syynimaa. (2021, January 31). BPRT unleashed: Joining multiple devices to Azure AD and Intune. Retrieved March 4, 2022.	AADInternals - BPRT
Dr. Nestori Syynimaa. (2021, March 3). Deep-dive to Azure AD device join. Retrieved March 9, 2022.	AADInternals - Device Registration
Kelly Jackson Higgins. (2021, January 7). FireEye's Mandia: 'Severity-Zero Alert' Led to Discovery of SolarWinds Attack. Retrieved April 18, 2022.	DarkReading FireEye SolarWinds
Microsoft 365 Defender Threat Intelligence Team. (2022, January 26). Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA. Retrieved March 4, 2022.	Microsoft - Device Registration
Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.	Microsoft DEV-0537

Device Registration (T1098.005)

Technique & Subtechniques

Associated Tactics

Credential Access (TA0006)

Execution (TA0002)

Impact (TA0040)

Persistence (TA0003)

Privilege Escalation (TA0004)

Lateral Movement (TA0008)

Defense Evasion (TA0005)

Exfiltration (TA0010)

Discovery (TA0007)

Collection (TA0009)

Resource Development (TA0042)

Reconnaissance (TA0043)

Command and Control (TA0011)

Initial Access (TA0001)

Procedure Examples

Device Registration (T1098.005)

Description

Technique & Subtechniques

Associated Tactics

Credential Access (TA0006)

Execution (TA0002)

Impact (TA0040)

Persistence (TA0003)

Privilege Escalation (TA0004)

Lateral Movement (TA0008)

Defense Evasion (TA0005)

Exfiltration (TA0010)

Discovery (TA0007)

Collection (TA0009)

Resource Development (TA0042)

Reconnaissance (TA0043)

Command and Control (TA0011)

Initial Access (TA0001)

Procedure Examples