Detection rules › Kusto Query Language
Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access
'This detection uses Windows security events to detect suspicious access attempts by the same process to registry keys that provide information about an Microsoft Entra ID joined or registered devices and Transport keys (tkpub / tkpriv). This information can be used to export the Device Certificate (dkpub / dkpriv) and Transport key (tkpub/tkpriv). These set of keys can be used to impersonate existing Microsoft Entra ID joined devices. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable objects: HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin (Microsoft Entra ID joined devices) HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin (Microsoft Entra ID registered devices) HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\KeyTransportKey (Transport Key) Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml Reference: https://aadinternals.com/post/deviceidentity/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1012 Query Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4656 | A handle to an object was requested. |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches