Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Persistence
  4. >ATTACK-T1098.005
ATTACK-T1098.005Active

Device Registration

Statement

Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.

MFA systems, such as Duo or Okta, allow users to associate devices with their accounts in order to complete MFA requirements. An adversary that compromises a user’s credentials may enroll a new device in order to bypass initial MFA requirements and gain persistent access to a network.(Citation: CISA MFA PrintNightmare)(Citation: DarkReading FireEye SolarWinds) In some cases, the MFA self-enrollment process may require only a username and password to enroll the account's first device or to enroll a device to an inactive account. (Citation: Mandiant APT29 Microsoft 365 2022)

Similarly, an adversary with existing access to a network may register a device or a virtual machine to Entra ID and/or its device management system, Microsoft Intune, in order to access sensitive data or resources while bypassing conditional access policies.(Citation: AADInternals - Device Registration)(Citation: AADInternals - Conditional Access Bypass)(Citation: Microsoft DEV-0537)(Citation: Expel Atlas Lion 2025)

Devices registered in Entra ID may be able to conduct Internal Spearphishing campaigns via intra-organizational emails, which are less likely to be treated as suspicious by the email client.(Citation: Microsoft - Device Registration) Additionally, an adversary may be able to perform a Service Exhaustion Flood on an Entra ID tenant by registering a large number of devices.(Citation: AADInternals - BPRT)

Location

Tactic
Persistence

Technique Details

Identifier
ATTACK-T1098.005
Parent Technique
ATTACK-T1098
ATT&CK Page
View on MITRE

Tactics

PersistencePrivilege Escalation

Platforms

WindowsIdentity Provider

Detection

Suspicious Device Registration via Entra ID or MFA Platform

Mitigations

Multi-factor Authentication: Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

  • Something you know: Passwords, PINs.
  • Something you have: Physical tokens, smartphone authenticator apps.
  • Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
SP 800-53
SP800-53-AC-2relatedvia ctid-attack-to-sp800-53
SP800-53-AC-20relatedvia ctid-attack-to-sp800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-5relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Persistence
Persistence80 controls
ATTACK-T1037Boot or Logon Initialization ScriptsATTACK-T1037.001Logon Script (Windows)ATTACK-T1037.002Login HookATTACK-T1037.003Network Logon ScriptATTACK-T1037.004RC ScriptsATTACK-T1037.005Startup ItemsATTACK-T1098Account ManipulationATTACK-T1098.001Additional Cloud CredentialsATTACK-T1098.002Additional Email Delegate PermissionsATTACK-T1098.003Additional Cloud RolesATTACK-T1098.004SSH Authorized KeysATTACK-T1098.005Device RegistrationATTACK-T1098.006Additional Container Cluster RolesATTACK-T1098.007Additional Local or Domain GroupsATTACK-T1133External Remote ServicesATTACK-T1136Create AccountATTACK-T1136.001Local AccountATTACK-T1136.002Domain AccountATTACK-T1136.003Cloud AccountATTACK-T1137Office Application StartupATTACK-T1137.001Office Template MacrosATTACK-T1137.002Office TestATTACK-T1137.003Outlook FormsATTACK-T1137.004Outlook Home PageATTACK-T1137.005Outlook RulesATTACK-T1137.006Add-insATTACK-T1176Software ExtensionsATTACK-T1176.001Browser ExtensionsATTACK-T1176.002IDE ExtensionsATTACK-T1505Server Software ComponentATTACK-T1505.001SQL Stored ProceduresATTACK-T1505.002Transport AgentATTACK-T1505.003Web ShellATTACK-T1505.004IIS ComponentsATTACK-T1505.005Terminal Services DLLATTACK-T1505.006vSphere Installation BundlesATTACK-T1525Implant Internal ImageATTACK-T1542.001System FirmwareATTACK-T1542.002Component FirmwareATTACK-T1542.003BootkitATTACK-T1543Create or Modify System ProcessATTACK-T1543.001Launch AgentATTACK-T1543.002Systemd ServiceATTACK-T1543.003Windows ServiceATTACK-T1543.004Launch DaemonATTACK-T1543.005Container ServiceATTACK-T1546.017Udev RulesATTACK-T1546.018Python Startup HooksATTACK-T1547Boot or Logon Autostart ExecutionATTACK-T1547.001Registry Run Keys / Startup FolderATTACK-T1547.002Authentication PackageATTACK-T1547.003Time ProvidersATTACK-T1547.004Winlogon Helper DLLATTACK-T1547.005Security Support ProviderATTACK-T1547.006Kernel Modules and ExtensionsATTACK-T1547.007Re-opened ApplicationsATTACK-T1547.008LSASS DriverATTACK-T1547.009Shortcut ModificationATTACK-T1547.010Port MonitorsATTACK-T1547.012Print ProcessorsATTACK-T1547.013XDG Autostart EntriesATTACK-T1547.014Active SetupATTACK-T1547.015Login ItemsATTACK-T1554Compromise Host Software BinaryATTACK-T1574Hijack Execution FlowATTACK-T1574.001DLLATTACK-T1574.004Dylib HijackingATTACK-T1574.005Executable Installer File Permissions WeaknessATTACK-T1574.006Dynamic Linker HijackingATTACK-T1574.007Path Interception by PATH Environment VariableATTACK-T1574.008Path Interception by Search Order HijackingATTACK-T1574.009Path Interception by Unquoted PathATTACK-T1574.010Services File Permissions WeaknessATTACK-T1574.011Services Registry Permissions WeaknessATTACK-T1574.012COR_PROFILERATTACK-T1574.013KernelCallbackTableATTACK-T1574.014AppDomainManagerATTACK-T1653Power SettingsATTACK-T1668Exclusive ControlATTACK-T1671Cloud Application Integration