TL;DR: There is a lot of great research available on how to obtain an Azure Primary Refresh Token (PRT) cookie, post-exploitation.
Organisations store heaps of important data, which is important to their business processes or can be considered intellectual property.
Direct system calls are a popular technique used by attackers to bypass certain EDR solutions.
Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges, and spawn child processes that do have SYSTEM privileges.