cloudap
Last updated
Last updated
sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:
Azure API does not verify ctx replay
Azure relies on symmetric keys
Software or TPM keys are "protected" by legacy DPAPI
AzureAd logon must support device key for legacy DPAPI
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
The following screenshot was borrowed from this tweet:
