KQL Search

Query Details

Registration From Hosting ASN

Query

id: 7b8c9d10-aaaa-4001-8001-000000000004
name: HUNT - Device registered from cloud / hosting ASN
description: |
  Surfaces device registrations / enrollments where the origin IP belongs to cloud / hosting
  providers (Azure, AWS, GCP, DigitalOcean, OVH) — a classic footprint of ROADtools / AADInternals
  running from attacker VPS.
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
tactics:
  - Persistence
relevantTechniques:
  - T1098.005
query: |
  let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
  let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
  let hostingKeywords = dynamic(["amazon","aws","azure","microsoft","google","digitalocean","ovh","hetzner","linode","vultr","contabo"]);
  SigninLogs
  | where TimeGenerated > ago(7d) and ResultType == 0
  | where AppDisplayName has_any ("Device Registration","Microsoft Intune","Microsoft Authentication Broker")
  | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
  | extend ISP = tostring(NetworkLocationDetails)
  | where ISP has_any (hostingKeywords) or UserAgent has_any (hostingKeywords)
  | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, ISP, UserAgent,
            Location = tostring(parse_json(tostring(LocationDetails)).countryOrRegion)
  | order by TimeGenerated desc
version: 1.0.0

Explanation

This query is designed to identify suspicious device registrations or enrollments in an organization's network. It specifically looks for instances where the origin IP address is associated with known cloud or hosting providers, such as Azure, AWS, Google Cloud, and others. This is often a sign of potential malicious activity, as attackers might use virtual private servers (VPS) from these providers to run tools like ROADtools or AADInternals.

Here's a simplified breakdown of what the query does:

  1. Network Allowlist: It retrieves a list of allowed IP ranges from a watchlist called 'NetworkAllowlist'.

  2. Hosting Keywords: It defines a list of keywords related to cloud and hosting providers.

  3. SigninLogs Filtering:

    • It looks at sign-in logs from the past 7 days where the sign-in was successful (ResultType == 0).
    • It focuses on applications related to device registration, Microsoft Intune, or Microsoft Authentication Broker.
    • It excludes IP addresses that are within the allowed ranges from the watchlist.

  4. ISP and UserAgent Check: It checks if the Internet Service Provider (ISP) or the UserAgent string contains any of the hosting keywords.

  5. Output: The query outputs details such as the time of the event, user principal name, application display name, IP address, ISP, user agent, and location (country or region).

  6. Sorting: The results are sorted by the time the event was generated, in descending order.

Overall, this query helps in detecting potentially unauthorized device registrations originating from cloud or hosting environments, which could indicate an attacker's attempt to persist in the network.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

SigninLogs

Keywords

DeviceEnrollmentsOriginIPCloudHostingProvidersAzureAWSGCPDigitalOceanOVHROADtoolsAADInternalsAttackerVPSAzureActiveDirectorySigninLogsPersistenceDeviceRegistrationMicrosoftIntuneMicrosoftAuthenticationBrokerNetworkLocationDetailsUserAgentLocationDetails

Operators

lettoscalarsummarizemake_listdynamicagoandhas_anynotipv4_is_in_any_rangetostringextendprojectparse_jsonorder bydesc

Actions