Defending against Pass-the-PRT

The Azure AD Primary Refresh Token (PRT) can be extracted using ROADtools, written by security researcher Dirk-jan Mollema and recently weaponized into Mimikatz by Benjamin Delpy.

With local Administrator privileges it becomes possible to extract the PRT and the required cryptographic material to sign in on any Azure AD connected resource with the account to which the PRT was issued. The PRT is valid for 14 days and can be used on any device in this time-frame. Any MFA claims that were assigned to the PRT remain valid as well.

It’s important to understand exactly how this attack works so that you can test your defenses against it. You should never assume that your defenses are adequate. Just like a backup is not good unless it is restored, your defenses are not good unless you test them frequently and thoroughly.

A PRT is only issued to native apps (like the full Outlook client) on Azure AD Registered, Azure AD Joined, or Hybrid Azure AD joined devices. A browser session on a workgroup machine will not receive a PRT. To learn more about how PRT’s are issued, see this article: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

The attacker runs a few mimikatz commands:

privilege:debug
sekurlsa::cloudap

cloudap1

The PRT can then be imported into Chrome as a cookie:

image

And this allows the attacker to sign in as the user, even if their device is not Intune compliant or Hybrid Azure AD joined.

Defending against Pass-the-PRT

There are ~15 Attack Surface Reduction Rules (ASR) in Windows 10. The following rule can be enabled in Audit or Block mode. We strongly recommend Audit mode first because Block mode may block legitimate processes that you will need to exclude before deploying this in production. On a single test machine you can run this command for audit mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode

And this command for block mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

And when this ASR rule is enabled, we can see that Mimikatz is unable to dump the PRT

image

Normally this should get logged as Event 1121 (Block) or 1122 (Audit) in the Event Viewer: Microsoft-Windows-Windows Defender/Operational

Or if you have Microsoft Defender ATP then in the Timeline view you can filter on ASR Events:

image

Recommendations

1. Do not grant users local administrator privileges

2. Enable Tamper Protection in Windows Defender. It is more difficult for Mimikatz to run when Defender AV is running.

3. Enable Attack Surface Reduction Rules (ASR)  to block access to LSASS.exe