cloudap
sekurlsa::cloudap
lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:- Azure API does not verify ctx replay
- Azure relies on symmetric keys
- Software or TPM keys are "protected" by legacy DPAPI
- AzureAd logon must support device key for legacy DPAPI
This command requires elevated privileges (by previously running
privilege::debug
or by executing Mimikatz as the NT-AUTHORITY\SYSTEM
account).mimikatz # sekurlsa::cloudap

Azure session key dump
Last modified 1yr ago