Paved With Intent: ROADtools and Nation-State Tactics in the Cloud

What Happened

Nation-state hackers are using a publicly available tool called ROADtools to attack Microsoft cloud environments. Organizations using Microsoft Entra ID (formerly Azure Active Directory) and Microsoft 365 are primarily affected. This matters because the tool allows attackers to map out organizational structures, register fake devices, and steal access tokens, effectively bypassing security measures like multi-factor authentication (MFA) to maintain hidden access. Organizations should monitor their cloud logs for unusual device registrations or automated access patterns and enforce strict device and token security policies.

Key Takeaways

• ROADtools is an open-source Python framework increasingly used by nation-state actors for Entra ID discovery, persistence, and defense evasion.
• The roadtx module enables attackers to register rogue devices and manipulate OAuth 2.0 tokens to bypass MFA and maintain persistent access.
• The roadrecon module facilitates extensive enumeration of Entra ID resources via the Microsoft Graph API.
• Default configurations in ROADtools, such as specific OS versions (10.0.19041.928) and user-agent strings, provide high-fidelity hunting indicators.
• Defenders must shift from monitoring Azure AD Graph logs to Microsoft Graph API logs to detect modern ROADtools enumeration activity.

Affected Systems

• Microsoft Entra ID
• Azure Active Directory
• Microsoft 365

Attack Chain

Attackers typically gain initial access via spear-phishing or password spraying to obtain valid credentials. They then use the roadtx module to authenticate and acquire a Primary Refresh Token (PRT) or register a rogue device in Entra ID for persistence. With persistent access established, attackers utilize the roadrecon module to query the Microsoft Graph API, enumerating users, groups, and applications to identify targets for lateral movement. Finally, the stolen tokens are continuously refreshed to maintain non-interactive access, effectively bypassing MFA and conditional access policies.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Cortex XDR

The article provides Cortex XQL queries to hunt for anomalous device registrations, token misuse via unusual user agents, and excessive Microsoft Graph API enumeration.

Detection Engineering Assessment

EDR Visibility: Low — ROADtools interacts directly with Entra ID cloud APIs; unless the tool is executed directly on a monitored endpoint, EDR will not see the network traffic or API calls. Network Visibility: Medium — Network sensors might capture unusual User-Agent strings (like python-requests) or API calls to Microsoft Graph, but the traffic is encrypted (HTTPS) and often originates from attacker-controlled infrastructure. Detection Difficulty: Moderate — The tool uses legitimate Microsoft APIs and authentication flows, making it blend in with normal administrative or application traffic. Detection relies heavily on behavioral baselining and spotting anomalous user-agents or bursty API requests.

Required Log Sources

• Azure AD Audit Logs
• Microsoft Graph API Activity Logs
• Entra ID Sign-in Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Attackers may be registering rogue devices using default ROADtools configurations.	Azure AD Audit Logs	Persistence	Low
Threat actors might be interacting with Entra ID using automated scripts, identifiable by Python-related User-Agent strings.	Entra ID Sign-in Logs	Defense Evasion	Medium
Adversaries may be conducting rapid, high-volume enumeration of directory objects via the Microsoft Graph API.	Microsoft Graph API Activity Logs	Discovery	Medium

Control Gaps

• Lack of device-bound token protection
• Overly permissive OAuth application consent
• Unrestricted device code authentication flows

Key Behavioral Indicators

• OS Version '10.0.19041.928' in Entra ID device registrations
• Device names matching the pattern 'DESKTOP-<8 digits>'
• User-Agent strings containing 'python', 'requests', 'urllib', 'curl', or 'roadtools' interacting with Entra ID

False Positive Assessment

• Medium

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Review Entra ID Risky sign-in and Risky user reports for anomalous access patterns or leaked credentials.
• Audit recently registered or joined devices in Entra ID for suspicious naming conventions or OS versions (e.g., 10.0.19041.928).

Infrastructure Hardening

• Consider enabling Entra ID token protection to bind refresh tokens to specific devices, preventing token replay.
• Evaluate restricting the device code flow via Conditional Access Policies to only trusted IP ranges or registered devices.
• Implement Privileged Identity Management (PIM) to limit standing privileges and require step-up authentication for sensitive actions.

User Protection

• Regularly audit OAuth applications for excessive delegated or application permissions to Microsoft Graph, SharePoint, or Exchange.
• Ensure multi-factor authentication (MFA) is strictly enforced and evaluate phishing-resistant MFA methods.

Security Awareness

• Educate administrators on the risks of overly permissive OAuth consent and the importance of monitoring application permissions.

MITRE ATT&CK Mapping

• T1098.005 - Account Manipulation: Device Registration
• T1550 - Use Alternate Authentication Material
• T1087 - Account Discovery

Additional IOCs

• Command Lines:
  • Purpose: Request an access token for the Azure device registration service using a stolen refresh token. | Tools: roadtx | Stage: Defense Evasion | roadtx gettokens --refresh-token
  • Purpose: Register a new rogue device in Entra ID for persistence. | Tools: roadtx | Stage: Persistence | roadtx device -n