← Back to Daily Briefing

Nation-state actors, including APT29 (Midnight Blizzard), APT33 (Curious Serpens), and UTA0355, are weaponizing the open-source ROADtools framework to compromise Microsoft Entra ID environments. Attackers exploit permissive Intune enrollment settings and poor identity hygiene to register rogue, attacker-controlled devices as legitimate corporate assets via administrative API calls. This process allows the acquisition of Primary Refresh Tokens (PRTs), which enable the bypass of Multi-Factor Authentication (MFA) by satisfying Conditional Access policies that trust managed devices. This technique provides high-persistence cloud access and allows malicious activity to blend with standard administrative operations, facilitating stealthy lateral movement and data exfiltration.

  • Threat Actor Profile: Tooling Evolution

    • Shift from custom malware to the weaponization of ROADtools, an open-source cloud identity framework originally intended for red-teaming.
    • Attributed usage by high-tier groups: APT29 (Russia), APT33 (Iran), and UTA0355.
    • Transition toward "living-off-the-cloud" techniques that prioritize legitimate API calls over binary payloads to evade EDR/AV.
  • Technical Vector: Rogue Device Registration

    • Exploitation of over-privileged service accounts or compromised credentials to interact with Entra ID and Microsoft Intune APIs.
    • Use of ROADtools to register unauthorized devices as managed assets within the target tenant.
    • Leveraging permissive "Device Join" permissions that allow non-administrative users or compromised accounts to enroll new hardware.
  • Identity Abuse: PRT Acquisition and MFA Bypass

    • Generation of a Primary Refresh Token (PRT) following successful rogue device registration.
    • Spoofing of device identity to satisfy Conditional Access (CA) policies requiring "Compliant" or "Hybrid Joined" status.
    • Complete neutralization of MFA requirements, as the identity provider recognizes the session as originating from a trusted, managed corporate device.
  • Operational Impact: Stealth and Persistence

    • High-persistence access that survives password resets if the rogue device remains registered in the tenant.
    • Mimicry of standard administrative traffic, rendering traditional SOC detection logic based on "impossible travel" or "unusual login" less effective.
    • Ability to perform large-scale identity enumeration and privilege escalation within the cloud infrastructure.
  • Defensive Strategy: Hardening and Detection

    • Implementing strict Conditional Access policies that require more than just device compliance (e.g., combining compliance with trusted IP ranges).
    • Restricting the ability to register devices in Entra ID to a limited set of authorized administrative accounts.
    • Monitoring for anomalous DeviceRegistration events and auditing PRT requests originating from unexpected hardware IDs or non-standard device fingerprints.

Related posts

  1. Palo Alto Networks Unit 42 — Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
  2. Redfoxsec
  3. Elastic
  4. techjacksolutions.com — Nation-State Actors Weaponize ROADtools Against Entra ID: Device Registration, PRT Abuse, and MFA Bypass at Scale
  5. Microsoft
  6. Detection
  7. Tenable
  8. Reddit

LINK COPIED TO CLIPBOARD