Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
There are different ways a machine can be connected to the cloud:
In Azure AD, there are different types of tokens with specific limitations:
Access tokens: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
Refresh tokens: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
Primary Refresh Tokens (PRT): Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
Windows Hello for Business keys (WHFB): Used for passwordless authentication. It's used to get Primary Refresh Tokens.
The most interesting type of token is the Primary Refresh Token (PRT).
Az - Primary Refresh Token (PRT)From the compromised machine to the cloud:
Pass the Cookie: Steal Azure cookies from the browser and use them to login
Dump processes access tokens: Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
Phishing Primary Refresh Token: Phish the PRT to abuse it
Pass the PRT: Steal the device PRT to access Azure impersonating it.
Pass the Certificate: Generate a cert based on the PRT to login from one machine to another
From compromising AD to compromising the Cloud and from compromising the Cloud to compromising AD:
Another way to pivot from could to On-Prem is abusing Intune
This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
