TL;DR: There is a lot of great research available on how to obtain an Azure Primary Refresh Token (PRT) cookie, post-exploitation.
Our blog

Today’s blog is about detection of a bypass for the ASR rule “Block Office applications from creating executable content”.

Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities.

Organisations store heaps of important data, which is important to their business processes or can be considered intellectual property.

Direct system calls are a popular technique used by attackers to bypass certain EDR solutions.

Sometimes, simple queries can be quite effective. One example of that is a rule we recently developed to detect processes that start without SYSTEM privileges, and spawn child processes that do have SYSTEM privileges.