detecting-entra-offensive-tools-in-graph-logs
Detecting Entra Offensive Tools in Graph Logs
Overview
For nearly a decade the legacy Azure AD Graph API (graph.windows.net) was a defender blind spot: requests to it produced no first-class activity log, so tools like ROADtools (roadrecon) and AADInternals — which lean heavily on AAD Graph — could enumerate an entire tenant with little trace. That changed when Microsoft shipped AADGraphActivityLogs (general availability in 2026), the counterpart to the already-available MicrosoftGraphActivityLogs (graph.microsoft.com). Together these two tables give SOCs request-level visibility into directory API traffic: the caller identity, app, source IP, HTTP method, request URI, and crucially the User-Agent.
This skill is the defensive complement to offensive Entra tooling. It hunts the two Graph activity tables for the behavioral and string fingerprints those tools leave behind. Many operators forget to spoof the User-Agent, so ROADtools (built on Python's aiohttp) emits a User-Agent like Python/3.12 aiohttp/3.10.4, and AADInternals frequently leaves AADInternals or library strings in the agent. Even when the agent is spoofed, the tools betray themselves through a characteristic endpoint-sweep pattern: roadrecon gather pulls users, groups, applications, serviceprincipals, devices, directoryroles, roledefinitions, oauth2permissiongrants, and more within a tight time window — a signature that survives header spoofing.
The activity being detected maps to MITRE ATT&CK T1078.004 – Valid Accounts: Cloud Accounts: an adversary using legitimate (often phished or token-stolen) cloud credentials to enumerate and operate against the tenant via the Graph APIs. These detections both surface live intrusions and validate that the offensive techniques in the companion red-team skills are observable.
When to Use
- Building or tuning detections for Microsoft Sentinel / Log Analytics covering Entra ID
- Threat hunting after suspected credential theft, device-code phishing, or OAuth consent abuse
- Purple-team exercises validating that ROADtools/AADInternals/AzureHound activity is detectable
- Investigating an alert and needing to correlate Graph API calls back to a sign-in/session
- Closing the legacy Azure AD Graph visibility gap after enabling AADGraphActivityLogs