Comment on page
cloudapkd 🛠️

dpapi::cloudapkd allows to decrypt via DPAPI the ProofOfPossesionKey (extracted from a Primary Refresh Token, a.k.a. PRT, e.g. cloudap) and thus recover the Clear key and the Derived Key.
/prt: Primary Refresh Token, used for JWT token generation (can be found with sekurlsa::cloudap)
/iat: Issued At, used for JWT token generation (Default: -112)
/pop: Proof-of-Possession (Unknown usage, Work In Progress)
/label: Object label, can be retrive from keyvalue with unprotect
/context: Used for JWT token generation (can be found with unprotect)
/keyname: Is necessary for opaque keys (when a TPM is used for example) during unprotect operation
/keyvalue: Part of ProofOfPossesionKey, can be found with sekurlsa::cloudap. Unprotect this data to retrieve context, label, clearkey and derivedkey
/derivedkey: used for JWT token generation (can be found with unprotect)
/unprotect: Decrypt the secret from DPAPI (masterkey is optionnal, but token::elevate is required)
/masterkey: master DPAPI key use to unprotect the secret (can be retrieved from sekurlsa::dpapi). This field is not mandatory, if absent the key will be found automatically
References
Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert
Lateral Movement to the Cloud with Pass-the-PRT
Stealthbits Technologies
Digging further into the Primary Refresh Token
dirkjanm.io
Pass-the-PRT attack and detection by Microsoft Defender for ….
Medium
chrome
cloudapreg
Last modified 1yr ago