Skip to main content
Threat IntelligenceEmerging Threats

Nation-State Actors Exploit ROADtools in Cloud Attacks

Brightly-lit server rack in a cloud computing environment with a security monitoring station in the background.

"ROADtools is a publicly available toolkit for offensive and defensive security purposes that attackers have integrated into cloud attacks," Palo Alto Networks Unit 42 reports. That dual-use origin is precisely why defenders should pay attention: the framework speaks Entra ID and Microsoft Graph, and its capabilities map directly to persistence, discovery and token-based defense evasion in cloud tenants.

How ROADtools works: roadrecon, roadtx and roadlib

ROADtools is an open-source Python framework built to interact with Microsoft Entra ID (formerly Azure AD). It has three core components: roadrecon for discovery and enumeration; roadtx for token acquisition, exchange and device registration; and roadlib, a shared library that handles low-level authentication and API requests. ROADtools uses legitimate Microsoft APIs and allows customization of request attributes such as user-agent strings, letting it mimic routine cloud traffic and evade simple signature-based detection.

roadrecon gathers users, groups, roles, devices, service principals, applications and directory configurations, writing results to a local SQLite database and exposing a graphical web interface. roadtx supports multiple OAuth 2.0/OpenID Connect flows — device code flow, refresh-token reuse, and on-behalf-of (OBO) — and can register devices in Entra ID and manipulate token lifecycles. roadlib abstracts the authentication complexity and can be pointed at different API endpoints, including custom or non-Microsoft endpoints.

Nation-state adoption and concrete cases

What began as a red-team utility has been operationalized by multiple nation-state actors. Unit 42 cites several public industry findings: Microsoft observed Cloaked Ursa using ROADtools for internal discovery in late 2021; Microsoft also reported the Iranian actor Curious Serpens using ROADtools in 2023 after password-spray access; and Volexity reported in 2025 that a state-affiliated actor it named UTA0355 registered a rogue device in Entra ID and acquired a full-access token for Microsoft Graph API — behavior that matches roadtx’s token management capabilities.

ROADtools development has fragmented. An msgraph branch exists in the official GitHub repository but had not been updated since April 2025; subsequent work continues in a community-maintained fork that has implemented partial roadrecon functionality against Microsoft Graph. That split creates inconsistent tooling behavior but does not stop attackers from enumerating accounts and resources.

Mapped attacker behaviors and MITRE techniques

Unit 42 maps ROADtools activity to specific MITRE ATT&CK techniques: device registration for persistence (T1098.005), using alternate authentication material to avoid interactive controls (T1550), and account discovery (T1087). roadtx can register devices by calling the Azure device registration API (urn:ms-drs:enterpriseregistration.windows[.]net) after authenticating with valid credentials, writing device certificates and keys to local storage. roadtx’s prt command can acquire a Primary Refresh Token (PRT), enabling silent, background token renewals that bypass multi-factor prompts. roadrecon — when pointed at Microsoft Graph with a -mg flag — can enumerate /users, /groups, /devices, /servicePrincipals and /applications and write rich metadata into the local SQLite store.

Detecting, hunting and hardening Entra ID

ROADtools is difficult to spot because it leverages normal APIs and authentication flows. Unit 42 recommends layered identity defenses and active hunting:

  • Enable Entra ID token protection to bind refresh tokens to a specific device and reduce the value of stolen refresh tokens.
  • Restrict device code flow with conditional access policies to limit risky flows where they are not needed.
  • Audit OAuth apps regularly to remove excessive delegated/application permissions that attackers target.
  • Limit standing privileges with privileged identity management (PIM) or privileged access management (PAM) to reduce damage from compromised tokens.
  • Correlate Azure audit logs, Microsoft Graph API activity logs, sign-ins and Office 365 activity in a SIEM to detect anomalous API usage.

For hunting, Unit 42 points to practical indicators: default ROADtools device-creation values (OS: Windows; OS Version: 10.0.19041.928; Name: DESKTOP-<RANDOM 8 DIGITS>), scripted user agents such as "roadtools", "python-requests/<version>", or "dirkjanm/ROADtools", bursty, repetitive Microsoft Graph queries against enumeration endpoints, and unexpected Python-based access patterns. Microsoft Entra ID Protection reports (risky sign-ins and risky users) are suggested as additional baselines for anomalous access.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Prioritize token protection, conditional access rules for device code flow, and centralized log correlation. Unit 42 recommends hunting for scripted user agents and the ROADtools default device metadata as initial high-signal checks.
  • Enterprises and procurement leaders: Evaluate cloud posture and app permissions regularly; Unit 42 highlights CSPM/CNAPP tools and the Unit 42 Cloud Security Assessment as mechanisms to find misconfigurations and attack surface issues. Palo Alto Networks customers may also use Cortex Cloud, Cortex XDR, XSIAM and Cortex Identity Threat Detection and Response as part of their defense stack.
  • End users and administrators: Expect attackers to reuse legitimate flows. Regularly review privileged app consent and report unusual device registrations or sign-in patterns to incident response teams — Unit 42 provides incident response contact channels for urgent cases.

ROADtools illustrates a broader tension: tools built to probe and protect cloud identity can be repurposed to persist, discover and move within tenants. Unit 42 has shared these findings with Cyber Threat Alliance members to accelerate protections; defenders who combine token protections, tighter conditional access and focused hunting for ROADtools’ fingerprints stand the best chance of preventing the toolkit from becoming a long-term foothold.

Read the original Unit 42 report