@_dirkjan
Dirk-jan
@_dirkjan
4 years
Another blog on the Primary Refresh Token! Thx @gentilkiwi for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with #mimikatz 🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies.
Digging further into the Primary Refresh Token

In my previous blog I talked about using the Primary Refresh Token (PRT). The PRT can be used for Single Sign On in Azure AD through PRT cookies. These cookies can be created by attackers if they...

dirkjanm.io
7
158
315

Replies

@_dirkjan
Dirk-jan
@_dirkjan
4 years
Oh and Credential Guard doesn't seem to protect CloudAP, so even with that on this is possible 🤷🏼‍♂️
4
1
16
@_mohemiv
Arseniy Sharoglazov
@_mohemiv
4 years
@_dirkjan @gentilkiwi I learned some pretty useful reversing techniques from this post! It's interesting for everyone, not only for Azure AD folks😀
1
0
1
@_dirkjan
Dirk-jan
@_dirkjan
4 years
@_mohemiv @gentilkiwi Glad to hear it's useful! And hope you picked up some Azure AD knowledge too ;)
0
0
2
@cnotin
Clément Notin
@cnotin
4 years
@_dirkjan @gentilkiwi Pssst! Looks like the Credential Guard screenshot is 404 ;)
1
0
0
@_dirkjan
Dirk-jan
@_dirkjan
4 years
@cnotin @gentilkiwi Thx, forgot to fix that before the release, fixed now!
0
0
1
@scootage
Scott Levick
@scootage
4 years
@_dirkjan @NathanMcNulty @gentilkiwi Could the same technique be used on a personal Win10 device that has a work account added?
1
0
1
@pzerger
pzerger
@pzerger
4 years
@_dirkjan @gentilkiwi @Alex_A_Simons anyone from your part of the MSFT org who can offer some perspective on this?
1
0
1
@chiragsavla94
Chirag Savla
@chiragsavla94
4 years
@_dirkjan @gentilkiwi Great post 👍
0
0
0
@ThomasVrhydn
Thms Vrhydn
@ThomasVrhydn
4 years
@_dirkjan @gentilkiwi Very interesting to read, thanks!
0
0
1