ID: SAT1043
- Initial Access
- Persistence
Some attack techniques result in temporary access to an account being obtained, possibly including knowledge of the account password, such as through AiTM phishing that proxies MFA codes or similar. In these situations, the ability to enroll a new device for an account can allow an adversary to maintain long-term access to the account.
Most commonly, this would be the enrollment of a new MFA device in order to allow the adversary to complete MFA challenges for future authentication. However, it could also involve enrolling adversary-controlled devices into device management software to bypass other controls.
This persistence form of device enrollment has been observed as a technique used by both APT29 and Scattered Spider
In some cases, this can even form part of the initial access phase. For example, if compromising a dormant account using a credential stuffing attack, this may have been previously configured without MFA and newer security settings may prompt for MFA enrollment during the authentication process. In this case, the adversary will need to perform MFA device enrollment in order to successfully complete the attack and gain access to the account. This has been observed in attacks by APT29 against Azure in the past.