Full Report
Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROADtools and Nation-State Tactics in the Cloud appeared first on Unit 42.
Analysis Summary
# Tool/Technique: ROADtools
## Overview
ROADtools (Azure AD Exploration Framework) is an open-source framework designed for interacting with Microsoft Entra ID (formerly Azure AD). While created for security auditing and penetration testing, it has been increasingly adopted by nation-state threat actors for reconnaissance, data exfiltration, and lateral movement within cloud environments.
## Technical Details
- **Type:** Open-source reconnaissance and management framework
- **Platform:** Microsoft Entra ID (Azure AD), Microsoft 365
- **Capabilities:** Directory dumping, authentication token manipulation, attribute modification, and cross-tenant exploration.
- **First Seen:** Public release circa 2019; noted in nation-state campaigns (e.g., Midnight Blizzard) frequently since 2021.
## MITRE ATT&CK Mapping
- **TA0007 - Discovery**
- T1087.004 - Account Discovery: Cloud Account
- T1538 - Cloud Service Dashboard
- T1018 - Remote System Discovery
- **TA0009 - Collection**
- T1530 - Data from Cloud Storage
- **TA0008 - Lateral Movement**
- T1550.001 - Use Alternate Authentication Material: Application Access Token
## Functionality
### Core Capabilities
- **ROADrecon:** Explores Entra ID by dumping the entire directory (users, groups, devices, applications, and service principals) into a local SQLite database.
- **ROADlib:** A library used to interact with Entra ID APIs via Python, allowing for custom scripting of authentication and data retrieval.
- **Authentication Support:** Supports various methods including username/password, device code flow, and utilizing existing browser cookies (`.roadtools_auth`).
### Advanced Features
- **Token Exchange:** Can exchange existing tokens for tokens with different scopes (e.g., using a Microsoft Graph token to obtain an Azure Management token).
- **PRT Simulation:** Capability to simulate Primary Refresh Tokens (PRT) to bypass Multi-Factor Authentication (MFA) under specific conditions.
- **Visualizer:** A built-in web interface to visualize complex relationships between objects in the Entra ID tenant.
## Indicators of Compromise
- **File Names:**
- `roadrecon.db` (Default SQLite database name)
- `.roadtools_auth` (Default authentication storage file)
- **User Agent Strings:**
- `python-requests/[VERSION]` (Default if not customized)
- `Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... ROADtools`
- **Behavioral Indicators:**
- High volume of calls to `graph.microsoft.com` or `graph.windows.net` originating from a single non-standard IP.
- Unusual Service Principal creation followed by immediate directory enumeration.
## Associated Threat Actors
- **APT29 (Midnight Blizzard / Nobelium / Cozy Bear):** Known for using ROADtools during the SolarWinds aftermath and subsequent cloud-native attacks.
- **APT44 (Sandworm):** Observed utilizing cloud discovery tools in hybrid environments.
## Detection Methods
- **Signature-based detection:** Monitoring for the specific SQLite database schema characteristics of `roadrecon.db`.
- **Behavioral detection:**
- Identification of "Directory Enumeration" events in Microsoft Entra ID Audit Logs.
- Monitoring for `Get-ADGroup` or `Get-ADUser` equivalent API calls occurring in rapid succession from unofficial CLI tools.
- Alerting on the use of the "Azure PowerShell" or "Microsoft Office" AppIDs from unexpected geographical locations or known hosting provider IPs.
## Mitigation Strategies
- **Prevention measures:**
- Implement **Conditional Access Policies (CAPs)** to restrict administrative interface access to "Compliant" or "Hybrid Joined" devices only.
- Enforce MFA for all directory synchronization and discovery tasks.
- **Hardening recommendations:**
- Restrict the ability of non-admin users to register applications.
- Limit the "User search" permissions within the Entra ID tenant settings to prevent global directory dumping by low-privileged accounts.
## Related Tools/Techniques
- **ROADtx:** An extension of ROADtools focused on specialized token exchange and browser-based authentication flows.
- **AADInternals:** A similar PowerShell-based framework for Azure AD exploitation.
- **Storm-0558 Techniques:** Use of forged tokens to access cloud services.