Skill UI

ROADtools is a comprehensive offensive toolkit for Microsoft Entra ID (Azure AD). It consists of ROADrecon for offline directory enumeration (users, groups, roles, policies) and roadtx for advanced token acquisition and exchange. It is designed for authorized red-teaming and penetration testing to discover attack paths and pivot tokens across various Microsoft resources.

This skill provides advanced threat hunting logic for Microsoft Sentinel/Log Analytics. It analyzes both AADGraphActivityLogs and MicrosoftGraphActivityLogs to detect the unique fingerprints and behavioral patterns left by offensive Entra ID tools (like ROADtools, AADInternals, and AzureHound). It detects specific User-Agent strings and characteristic endpoint-sweep patterns, even when tool authors attempt to spoof headers, helping SOC teams identify valid account-based adversary activity (MITRE T1078.004).