Home/ MITRE Matrix/ Persistence/ T1098.005

T1098.005Device Registration

T1098.005 — Device Registration is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 10 detection use cases covering it and 3 threat-intel articles citing it.

PersistencePrivilege Escalation

View on the matrix → Filter Detection Library MITRE official spec ↗

10Use cases

3Articles

0Sub-techniques

2Tactics

↑ Parent technique: T1098 · Account Manipulation

Use cases covering this technique (10)

[WEEKLY] OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay Internal c2 · alerting DSPDD Okta New Device Enrolled on Account ESCU actions · alerting P PingID Mismatch Auth Source and Verification Response ESCU actions · alerting P PingID New MFA Method After Credential Reset ESCU actions · alerting P PingID New MFA Method Registered For User ESCU actions · alerting P Azure AD New MFA Method Registered ESCU actions · alerting P O365 New MFA Method Registered ESCU actions · alerting P [LLM] Bling Libra: Entra device join immediately after vishing-driven MFA registration Bespoke install · alerting DSPDD [LLM] Curious Serpens / APT29 ROADtools-pattern: device registration immediately following non-interactive token acquisition Bespoke install · alerting DSPDD [LLM] Iran-aligned MFA push-bombing followed by new auth method registered (AA24-290A) Bespoke actions · alerting DSP

Articles citing this technique (3)

crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193

crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218

crit Cyber fallout from the Iran war: What to have on your radar art-474