cloudapkd 🛠️

dpapi::cloudapkd allows to decrypt via DPAPI the ProofOfPossesionKey (extracted from a Primary Refresh Token, a.k.a. PRT, e.g. cloudap) and thus recover the Clear key and the Derived Key.

/prt: Primary Refresh Token, used for JWT token generation (can be found with sekurlsa::cloudap)
/iat: Issued At, used for JWT token generation (Default: -112)
/pop: Proof-of-Possession (Unknown usage, Work In Progress)
/label: Object label, can be retrive from keyvalue with unprotect
/context: Used for JWT token generation (can be found with unprotect)
/keyname: Is necessary for opaque keys (when a TPM is used for example) during unprotect operation
/keyvalue: Part of ProofOfPossesionKey, can be found with sekurlsa::cloudap. Unprotect this data to retrieve context, label, clearkey and derivedkey
/derivedkey: used for JWT token generation (can be found with unprotect)
/unprotect: Decrypt the secret from DPAPI (masterkey is optionnal, but token::elevate is required)
/masterkey: master DPAPI key use to unprotect the secret (can be retrieved from sekurlsa::dpapi). This field is not mandatory, if absent the key will be found automatically

References

https://o365blog.com/post/prt/o365blog.com

Lateral Movement to the Cloud with Pass-the-PRTstealthbits.com

Digging further into the Primary Refresh Tokendirkjanm.io

Pass-the-PRT attack and detection by Microsoft Defender for ….Medium

Previouschrome Nextcloudapreg

Last updated 3 years ago