cloudapkd 🛠️

dpapi::cloudapkd allows to decrypt via DPAPI the ProofOfPossesionKey (extracted from a Primary Refresh Token, a.k.a. PRT, e.g. cloudap) and thus recover the Clear key and the Derived Key.

• /prt: Primary Refresh Token, used for JWT token generation (can be found with sekurlsa::cloudap)

• /iat: Issued At, used for JWT token generation (Default: -112)

• /pop: Proof-of-Possession (Unknown usage, Work In Progress)

• /label: Object label, can be retrive from keyvalue with unprotect

• /context: Used for JWT token generation (can be found with unprotect)

• /keyname: Is necessary for opaque keys (when a TPM is used for example) during unprotect operation

• /keyvalue: Part of ProofOfPossesionKey, can be found with sekurlsa::cloudap. Unprotect this data to retrieve context, label, clearkey and derivedkey

• /derivedkey: used for JWT token generation (can be found with unprotect)

• /unprotect: Decrypt the secret from DPAPI (masterkey is optionnal, but token::elevate is required)

• /masterkey: master DPAPI key use to unprotect the secret (can be retrieved from sekurlsa::dpapi). This field is not mandatory, if absent the key will be found automatically

References

Journey to Azure AD PRT: Getting access with pass-the-token and pass-the-cert

Lateral Movement to the Cloud with Pass-the-PRTStealthbits Technologies

Pass-the-PRT attack and detection by Microsoft Defender for ….Medium