KQL Search

Query Details

Rogue Device Registration Tooling

Query

id: 5a6f1c3e-2a1b-4c9e-9f01-11a2b3c4d504
name: Intune - Rogue device registration from suspicious user agent / tool
description: |
  Detects device registration or MDM enrollment activity with user agents or client strings
  associated with offensive tooling (AADInternals, ROADtools / roadtx, goroadtools). These
  strings appear in `SigninLogs.UserAgent` or Intune operational logs when attackers
  forge or replay device-bound tokens.
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CredentialAccess
  - Persistence
relevantTechniques:
  - T1528
  - T1098.005
query: |
  let NetworkAllowlist = _GetWatchlist('NetworkAllowlist') | project IPRange = tostring(SearchKey);
  let AllowedRanges = toscalar(NetworkAllowlist | summarize make_list(IPRange));
  let suspiciousUA = dynamic([
      "AADInternals","roadtx","roadtools","goroadtools",
      "Python-requests","Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)"
  ]);
  let suspiciousApps = dynamic([
      "Microsoft Intune Company Portal","Microsoft Authentication Broker",
      "Azure Active Directory PowerShell","Microsoft Graph PowerShell",
      "Microsoft Intune"
  ]);
  union isfuzzy=true
      (SigninLogs
          | where TimeGenerated > ago(1h)
          | extend LocationDetails = todynamic(tostring(LocationDetails))
          | project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
                    UserAgent, IPAddress, LocationDetails, ResultType,
                    AuthenticationRequirement, ConditionalAccessStatus),
      (AADNonInteractiveUserSignInLogs
          | where TimeGenerated > ago(1h)
          | extend LocationDetails = todynamic(tostring(column_ifexists("LocationDetails", dynamic({}))))
          | project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
                    UserAgent, IPAddress, LocationDetails, ResultType,
                    AuthenticationRequirement, ConditionalAccessStatus)
  | where ResultType == 0
  | where AppDisplayName in~ (suspiciousApps) or ResourceDisplayName has_any ("Device Registration","Intune")
  | where UserAgent has_any (suspiciousUA) or isempty(UserAgent)
  | where not(ipv4_is_in_any_range(tostring(IPAddress), AllowedRanges))
  | project TimeGenerated, UserPrincipalName, AppDisplayName, ResourceDisplayName,
            UserAgent, IPAddress, Location=tostring(parse_json(tostring(LocationDetails)).countryOrRegion),
            AuthenticationRequirement, ConditionalAccessStatus
  | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.0
kind: Scheduled

Explanation

This query is designed to detect potentially malicious device registration or mobile device management (MDM) enrollment activities in Microsoft Intune. It specifically looks for suspicious user agents or client strings that are often associated with offensive tools like AADInternals, ROADtools, and others. These strings might appear in sign-in logs when attackers attempt to forge or replay device-bound tokens.

Here's a simplified breakdown of the query:

  1. Purpose: The query aims to identify unauthorized or rogue device registrations by detecting suspicious user agents or applications used during the registration process.

  2. Severity: The alert generated by this query is considered high severity, indicating a significant security risk.

  3. Data Sources: It uses data from Azure Active Directory, specifically the SigninLogs and AADNonInteractiveUserSignInLogs.

  4. Frequency: The query runs every hour and looks back at the past hour's data.

  5. Detection Logic:

    • It checks for specific suspicious user agents and applications.
    • It filters out any IP addresses that are within an allowed range (using a watchlist).
    • It focuses on successful sign-in attempts (ResultType == 0) related to device registration or Intune.
    • It flags entries where the user agent is suspicious or missing.

  6. Output: The query outputs details like the time of the event, user principal name, application name, resource name, user agent, IP address, and location. It also maps these details to entities for further investigation.

  7. Tactics and Techniques: The query is associated with tactics like Credential Access and Persistence, and techniques such as T1528 (Steal Application Access Token) and T1098.005 (Device Registration).

Overall, this query helps security teams identify and respond to potential threats involving unauthorized device registrations in their environment.

Details

David Alonso profile picture

David Alonso

Released: April 22, 2026

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

DevicesIntuneUserAgentToolLogsTokensAuthenticationNetworkIPAddressLocationAccount

Operators

lettoscalardynamicunionisfuzzyagoextendtodynamictostringprojectwherein~has_anyisemptynotipv4_is_in_any_rangeparse_jsonsummarizemake_list

Actions