With local Administrator privileges it becomes possible to extract the PRT and the required cryptographic material to sign in on any Azure AD connected resource with the account to which the PRT was issued. The PRT is valid for 14 days and can be used on any device in this time-frame. Any MFA claims that were assigned to the PRT remain valid as well.
It’s important to understand exactly how this attack works so that you can test your defenses against it. You should never assume that your defenses are adequate. Just like a backup is not good unless it is restored, your defenses are not good unless you test them frequently and thoroughly.
A PRT is only issued to native apps (like the full Outlook client) on Azure AD Registered, Azure AD Joined, or Hybrid Azure AD joined devices. A browser session on a workgroup machine will not receive a PRT. To learn more about how PRT’s are issued, see this article: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
The attacker runs a few mimikatz commands:
The PRT can then be imported into Chrome as a cookie:
And this allows the attacker to sign in as the user, even if their device is not Intune compliant or Hybrid Azure AD joined.
Defending against Pass-the-PRT
There are ~15 Attack Surface Reduction Rules (ASR) in Windows 10. The following rule can be enabled in Audit or Block mode. We strongly recommend Audit mode first because Block mode may block legitimate processes that you will need to exclude before deploying this in production. On a single test machine you can run this command for audit mode:
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode
And this command for block mode:
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
And when this ASR rule is enabled, we can see that Mimikatz is unable to dump the PRT
Normally this should get logged as Event 1121 (Block) or 1122 (Audit) in the Event Viewer: Microsoft-Windows-Windows Defender/Operational
Or if you have Microsoft Defender ATP then in the Timeline view you can filter on ASR Events:
1. Do not grant users local administrator privileges
2. Enable Tamper Protection in Windows Defender. It is more difficult for Mimikatz to run when Defender AV is running.
3. Enable Attack Surface Reduction Rules (ASR) to block access to LSASS.exe