Pass-the-PRT attack and detection by Microsoft Defender for ….

The attack

First we need to verify if the computer is (hybrid) Azure AD joined via dsregcmd.exe /status


Microsoft Defender for Identity (MDI) can only detect on-premises Active Directory attacks.

Azure AD Identity Protection

Azure AD Identity Protection (IPC) is the Microsoft solution to detect Azure AD attacks (compromised credentials and/or anomalies), the pass-the-PRT attack cannot be detected due to the nature of SSO and the use of Tokens.

Microsoft Defender for Endpoint / Microsoft 365 Defender

Microsoft Defender for Endpoint (MDE) and/or Microsoft 365 Defender however detects the pass-the-PRT attack in the first stage of the attack (retrieving the PRT).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store