S0684: ROADTools
Analyst context for executives and security teams
ROADTools matters because it is a publicly available Python framework for enumerating Azure Active Directory environments. In practical terms, it can turn access to an identity provider into a map of cloud accounts, groups, services, and permissions that may help an intruder understand where to move next. For leaders, the key issue is not the tool itself but whether identity-provider activity is visible enough to distinguish legitimate administration from unusual enumeration.
Executive priority
Prioritize this as an identity and cloud visibility risk. If an incident involves valid cloud accounts, tools like ROADTools can accelerate discovery of users, groups, roles, and services, which affects containment decisions and audit evidence. Executives should ask whether security teams can review Azure Active Directory enumeration activity, tie it to authenticated identities, and prove which accounts had access during a suspected compromise.
Technical view
MITRE lists ROADTools as an Identity Provider platform tool used to enumerate Azure Active Directory environments, with relationships to discovery of remote systems, cloud groups, cloud accounts, cloud services, use of cloud accounts, and automated collection. SOC and IR teams should validate logging around identity-provider authentication, directory and group enumeration, role and permission queries, cloud service discovery, and bulk or repeated API-style reads. Because ATT&CK provides no official detection text for this object, detections should be derived from the related techniques and local baselines for normal administrative behavior.
Likely telemetry
- Identity provider sign-in and authentication logs for the account performing enumeration
- Azure Active Directory directory audit or equivalent identity-provider activity logs
- Cloud account, group, role, and permission query events where available
- Cloud service discovery or management-plane activity logs
- Source IP, user agent, application/client identifier, and session context tied to identity-provider access
Detection direction
- Baseline normal identity administration and compare against unusual account, group, role, or service enumeration patterns.
- Correlate enumeration activity with valid cloud account use, especially from unexpected users, locations, clients, or sessions.
- Tune for high-volume or broad-scope reads across users, groups, roles, services, and permissions rather than single administrative queries alone.
- Review whether logs capture enough context to distinguish sanctioned administration from automated framework-driven enumeration.
- Use the APT29 relationship as threat-intelligence context only; do not treat ROADTools presence or ROADTools-like behavior as attribution by itself.
Mitigation priorities
- Ensure identity-provider logging is enabled, retained, and accessible to SOC and incident response teams.
- Apply least privilege to cloud and identity administration roles so ordinary accounts cannot enumerate more than business need requires.
- Review cloud account and group permissions regularly, especially privileged groups and role assignments.
- Require strong controls for cloud accounts, including monitoring of privileged and administrative identities.
- Prepare IR playbooks for suspected cloud account compromise that include review of account, group, role, and service enumeration activity.
Analyst notes and limits
The supplied ATT&CK object identifies ROADTools as a public Azure Active Directory enumeration framework and links it to cloud and identity discovery techniques. The most useful defensive angle is validating identity-provider telemetry and permissions governance, not trying to block a single tool name.
MITRE provides no official detection guidance for this object, no tactics on the tool object itself, and no aliases or labels. Assessment of exposure requires local evidence such as enabled identity-provider logs, administrative baselines, retention, and cloud account permission design.
ROADTools
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | ROADTools can enumerate Azure AD systems and devices.CitationRoadtools |
| Enterprise | T1119 | Automated Collection | ROADTools automatically gathers data from Azure AD environments using the Azure Graph API.CitationRoadtools |
| Enterprise | T1526 | Cloud Service Discovery | ROADTools can enumerate Azure AD applications and service principals.CitationRoadtools |
| Enterprise | T1087.004 | Cloud Account Sub-technique | ROADTools can enumerate Azure AD users.CitationRoadtools |
| Enterprise | T1069.003 | Cloud Groups Sub-technique | ROADTools can enumerate Azure AD groups.CitationRoadtools |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | ROADTools leverages valid cloud credentials to perform enumeration operations using the internal Azure AD Graph API.CitationRoadtools |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d7ebc41a960… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ROADtools Github
Dirk-jan Mollema. (2022, January 31). ROADtools. Retrieved January 31, 2022.
Open source URL -
[2]
mitre-attack S0684Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.