ROADtools, an open-source Python framework for red-teaming Azure/Entra ID environments, is being actively misused by nation-state threat actors including APT29 (Cloaked Ursa) and APT33 (Curious Serpens). The tool's two primary modules — roadrecon for directory enumeration and roadtx for token acquisition and device registration — enable attackers to achieve persistence, evade defenses, and conduct discovery while blending into legitimate Microsoft API traffic. Attackers exploit OAuth flows like device code flow and Primary Refresh Tokens (PRTs) to bypass MFA and conditional access policies. Defenders are advised to enable Entra ID token protection, restrict device code flow via conditional access, audit OAuth app permissions, and monitor Microsoft Graph API logs for bulk enumeration patterns. Specific Cortex XQL hunting queries are provided for detecting device registration abuse, token misuse, and Graph API enumeration activity.
Table of contents
Executive SummaryTool OverviewThreat Actor Usage and Industry TargetingMITRE ATT&CK® TacticsDefender PerspectiveConclusionHunting, Investigation and Detection QueriesIndicatorsAdditional ResourcesSort: