S0684 ROADTools
ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.1
| Item | Value |
|---|---|
| ID | S0684 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 18 February 2022 |
| Last Modified | 01 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.004 | Cloud Account | ROADTools can enumerate Azure AD users.2 |
| enterprise | T1119 | Automated Collection | ROADTools automatically gathers data from Azure AD environments using the Azure Graph API.2 |
| enterprise | T1526 | Cloud Service Discovery | ROADTools can enumerate Azure AD applications and service principals.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.003 | Cloud Groups | ROADTools can enumerate Azure AD groups.2 |
| enterprise | T1018 | Remote System Discovery | ROADTools can enumerate Azure AD systems and devices.2 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.004 | Cloud Accounts | ROADTools leverages valid cloud credentials to perform enumeration operations using the internal Azure AD Graph API.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 3 |
References
-
Dirk-jan Mollema. (2022, January 31). ROADtools. Retrieved January 31, 2022. ↩
-
Dirk-jan Mollema. (2020, April 16). Introducing ROADtools - The Azure AD exploration framework. Retrieved January 31, 2022. ↩↩↩↩↩↩
-
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. ↩