Listen to this Post
Introduction
Primary Refresh Tokens (PRTs) are a critical component of Azure Active Directory (Azure AD) authentication, enabling seamless single sign-on (SSO) for hybrid environments. However, attackers can weaponize PRTs to bypass multi-factor authentication (MFA) and pivot from on-premises systems to cloud resources. This article explores the “Pass-the-PRT” attack, its implications, and mitigation strategies.
Learning Objectives
- Understand how PRTs are abused for lateral movement in hybrid environments.
- Learn detection techniques for PRT-based attacks.
- Apply hardening measures to protect Azure AD-joined devices.
You Should Know
1. Extracting PRTs from Azure AD-Joined Devices
Command (Windows):
Dump PRT from Windows Credential Manager via Mimikatz mimikatz.exe "privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue"
Steps:
- Gain administrative access to an Azure AD-joined Windows device.
- Use Mimikatz to extract the PRT stored in the Local Security Authority (LSA).
- The PRT can then be used to request Azure AD access tokens silently.
2. Forging PRT Cookies for Cloud Access
Tool: ROADToken (Python)
python roadtoken.py --prt <stolen_prt> --tenant-id <azure_tenant_id> --resource https://graph.microsoft.com
Steps:
1. Capture a PRT from a compromised device.
- Use ROADToken to generate a session cookie for Azure AD.
- Authenticate to Microsoft Graph API or other cloud services without MFA prompts.
- Detecting PRT Theft with Azure AD Logs
KQL Query (Azure Sentinel):
CloudAppEvents | where ActionType == "CookieAdded" and Application == "Microsoft Office" | where SessionIdType == "PrimaryRefreshToken" | summarize count() by IPAddress, UserAgent
Steps:
- Monitor Azure AD sign-in logs for suspicious PRT-based authentications.
- Alert on anomalous IPs or user agents accessing cloud resources.
4. Mitigating PRT Attacks with Conditional Access
Azure AD Policy:
"conditions": {
"devicePlatforms": ["Windows"],
"clientApps": ["Browser"],
"requireCompliantDevice": true
}
Steps:
1. Enforce device compliance for PRT issuance.
2. Restrict PRT usage to trusted locations/IPs.
5. Disabling PRTs for High-Risk Users
PowerShell Command:
Set-MsolUser -UserPrincipalName <target_user> -StsRefreshTokensValidFrom $((Get-Date).AddDays(-1))
Steps:
1. Revoke existing PRTs for compromised accounts.
2. Force reauthentication with MFA.
What Undercode Say
- Key Takeaway 1: PRTs are a blind spot in hybrid security—many organizations focus on network lateral movement but overlook cloud pivoting.
- Key Takeaway 2: Detection requires correlating on-premises logs (e.g., Windows Event ID 4624) with Azure AD sign-ins.
Analysis:
The Pass-the-PRT attack highlights the convergence of on-premises and cloud threats. As enterprises adopt hybrid environments, attackers exploit trust mechanisms like PRTs to bypass traditional defenses. Red teams must simulate PRT abuse to test detection capabilities, while blue teams should audit Azure AD token policies and enforce conditional access.
Prediction
PRT abuse will grow as more organizations migrate to Azure AD. Future attacks may combine PRTs with AI-driven phishing to automate cloud lateral movement, making MFA bypass a commodity skill for threat actors. Proactive monitoring and device-level controls will be critical to counter this trend.
IT/Security Reporter URL:
Reported By: Activity 7344388865908011008 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
