For years, security operations centers (SOCs) have fought a battle of shadows in the cloud. While we excel at detecting on-premise lateral movement, Azure Active Directory (Azure AD)—now Entra ID—has remained a blind spot for specific post-exploitation tooling. Attackers rarely stop at initial access; they immediately seek to map the tenant structure to identify high-value targets.
The recent update from Elastic Security Labs addresses this critical visibility gap by fully integrating Azure AD Graph Activity Logs with Elastic Common Schema (ECS) parsing. This isn't just a data ingestion improvement; it is a force multiplier for detecting specific, dangerous enumeration tools like ROADrecon and AADInternals. Defenders can now finally visualize the subtle API calls that signal an attacker is casing your cloud environment.
Technical Analysis
Affected Platform: Microsoft Azure AD (Entra ID), specifically via the ingestion of AuditLogs and SignInLogs into the Elastic Stack.
The Threat: Enumeration and Privilege Escalation Discovery The news highlights the detection capabilities for two distinct, widely-used offensive tools:
- ROADrecon: A Python-based toolset (part of ROADtools) used to interrogate the Azure AD Graph API. It allows attackers to dump the entire database state of a tenant, including users, groups, roles, and devices, to find paths for privilege escalation.
- AADInternals: A PowerShell module often used by Red Teams to manipulate Azure AD and Office 365. It is capable of everything from tenant enumeration to backdoor creation and persistence mechanisms.
Why This Matters Legacy detection mechanisms often failed here because these tools use legitimate API calls. To a basic firewall, a ROADrecon query looks like a standard administrator syncing a directory. However, the volume and sequence of these requests differ significantly from normal administrative behavior. Elastic's new ECS normalization allows analysts to write correlation rules that spot the "sprint" of enumeration against the "marathon" of normal admin activity.
Exploitation Status There is no CVE here. This is a "Living off the Land" (LotL) scenario where attackers abuse legitimate functionality. Active exploitation using these tools is rampant in 2026, particularly in targeted phishing campaigns where credentials are harvested and immediately enumerated to determine the account's value (e.g., is it a Global Admin?).
Detection & Response
The key to hunting these threats is context. You are looking for a single identity performing a high volume of "Read" operations against directory objects in a short timeframe, or the explicit invocation of the offensive tooling itself.
Sigma Rules
---
title: Azure AD Enumeration via AADInternals PowerShell Module
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the import and usage of the AADInternals PowerShell module, commonly used for Azure AD enumeration and exploitation.
references:
- https://github.com/Gerenios/AADInternals
- https://www.elastic.co/security-labs/aad-graph-activity-logs-threat-detection
author: Security Arsenal
date: 2026/04/22
tags:
- attack.execution
- attack.t1059.001
- attack.discovery
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_module:
CommandLine|contains: 'Import-Module AADInternals'
selection_cmdlet:
CommandLine|contains:
- 'Get-AADInt'
- 'Invoke-AADInt'
condition: 1 of selection*
falsepositives:
- Legitimate Azure AD administration by authorized IT staff (rare in standard endpoints)
level: high
---
title: ROADrecon Execution on Windows Endpoint
id: 9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects the execution of ROADrecon (roadrecon.exe or roadrecon.py), a tool used for dumping Azure AD database state.
references:
- https://github.com/dirkjanm/ROADtools
- https://www.elastic.co/security-labs/aad-graph-activity-logs-threat-detection
author: Security Arsenal
date: 2026/04/22
tags:
- attack.discovery
- attack.t1087.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_exe:
Image|endswith:
- '\roadrecon.exe'
selection_script:\ CommandLine|contains:
- 'roadrecon.exe'
- 'roadrecon.py'
- 'python.exe roadrecon'
condition: 1 of selection*
falsepositives:
- Rare, should be investigated if not performed by a known security administrator.
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts the AuditLogs for high-volume enumeration patterns typical of ROADrecon usage, aggregating directory read operations by caller.
let Threshold = 50;
AuditLogs
| where OperationName in~ (
"List users", "Get user", "List groups", "Get group members",
"List directory roles", "Get role members", "List applications"
)
| extend Caller = tostring(InitiatedBy.user.userPrincipalName)
| extend AppId = tostring(InitiatedBy.app.servicePrincipalId)
| summarize Count = count() by Caller, AppId, bin(TimeGenerated, 5m)
| where Count > Threshold
| project TimeGenerated, Caller, AppId, Count
| order by Count desc
Velociraptor VQL
Hunt for the presence of ROADrecon or AADInternals artifacts on the file system and active memory.
-- Hunt for AADInternals and ROADrecon artifacts
SELECT
Sys.Btime as CreationTime,
Sys.Mtime as ModifiedTime,
FullPath,
Size,
MD5
FROM glob(globs="*/AADInternals/*")
WHERE FullPath
UNION ALL
SELECT
Pid,
Name,
CommandLine,
Exe,
Username
FROM pslist()
WHERE Name =~ "python.exe"
AND CommandLine =~ "roadrecon"
OR Name =~ "powershell.exe"
AND CommandLine =~ "AADInternals"
Remediation Script (PowerShell)
This script verifies that Conditional Access policies are active to restrict enumeration tools from unmanaged locations and enforces MFA for high-risk users.
<#
.SYNOPSIS
Hardens Azure AD Tenant against enumeration attempts.
.DESCRIPTION
Reviews Conditional Access policies and MFA settings to limit the effectiveness of credential dumping tools.
#>
Connect-MgGraph -Scopes "Policy.Read.All", "User.Read.All"
Write-Host "[+] Checking Conditional Access Policies..." -ForegroundColor Cyan
$policies = Get-MgConditionalAccessPolicy
$enforcedPolicies = $policies | Where-Object { $_.State -eq "enabled" }
if ($enforcedPolicies.Count -lt 1) {
Write-Host "[!] CRITICAL: No enforced Conditional Access policies found." -ForegroundColor Red
} else {
Write-Host "[+] Found $($enforcedPolicies.Count) active policies." -ForegroundColor Green
# Check for MFA requirement on Admin roles
$mfaPolicy = $enforcedPolicies | Where-Object { $_.Conditions.Users.IncludeRoles -ne $null }
if ($mfaPolicy) {
Write-Host "[+] Verified MFA policies exist for Role protection." -ForegroundColor Green
} else {
Write-Host "[!] WARNING: No MFA policy detected for Global Administrators." -ForegroundColor Yellow
}
}
Write-Host "[+] Auditing Global Admins..." -ForegroundColor Cyan
$roleName = "Global Administrator"
$roleId = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq '$roleName'".Id
$admins = Get-MgRoleManagementDirectoryRoleAssignment -Filter "roleDefinitionId eq '$roleId'"
Write-Host "[+] Found $($admins.Count) Global Administrators. Ensure they are compliant with MFA and PIM." -ForegroundColor Yellow
Disconnect-MgGraph
Write-Host "[+] Remediation check complete." -ForegroundColor Green
Remediation
Since this issue relates to abuse of legitimate APIs, the fix is configuration hardening rather than patching.
- Ingest Logs: Ensure you are forwarding
AuditLogsandSignInLogsfrom Azure AD to your SIEM (Elastic, Sentinel, Splunk) immediately. This is the prerequisite for detection. - Enable Conditional Access: Implement Conditional Access policies that block access to management portals (Azure Portal, Microsoft 365 Admin Center) from untrusted locations or unmanaged devices.
- Restrict API Access: Use Conditional Access to filter "Client Apps." Legacy protocols and specific script user agents can often be blocked or forced to use MFA strictly.
- Review Privileged Roles: Conduct an audit of Global Admins and privileged role assignments. Tools like ROADrecon look for these accounts; reducing the attack surface limits their damage.
- Investigate Alerts: If the detection rules above fire, assume the associated credential is compromised. Force a password reset and revoke all active refresh tokens immediately.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.