This blog discusses the operational methodologies for obtaining primary refresh tokens (PRT) from Entra ID joined hosts, which can potentially allow unauthorized access to MFA-protected resources. The content emphasizes situational awareness, token manipulation, and detection guidance for individuals involved in penetration testing operations.
Keypoints :
- Lee Chagolla-Christensen’s POC outlines how attackers can leverage refresh tokens from hybrid joined hosts to bypass SSO for cloud resources.
- PRT cookies can include multi-factor authentication (MFA) claims, enabling access to MFA-protected resources.
- Obtaining join type information is crucial for determining whether a host is device or workplace joined.
- Tools are available to enumerate Entra ID accounts, identifying which accounts can have refresh tokens obtained.
- Multiple “work or school” accounts can complicate token acquisition, allowing attackers to obtain multiple tokens from a single user session.
- Tools like dsregcmd.exe can enumerate WAM accounts, useful for identifying cloud-based accounts linked to the device.
- COM can be used to create scripts for listing WAM accounts in user profiles.
- The process of acquiring tokens involves using a nonce and executing specific BOF codes to obtain PRT cookies.
- Once refresh tokens are acquired, they can be injected into browsers to access Microsoft services without additional MFA prompts.
- Refresh tokens can be utilized to request access tokens for various Microsoft cloud services and third-party applications configured to use SSO.
- Detection of suspicious activity can involve monitoring DLLs loaded in processes, identifying potentially malicious actions related to token gathering.