cloudap

sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:

  • Azure API does not verify ctx replay

  • Azure relies on symmetric keys

  • Software or TPM keys are "protected" by legacy DPAPI

  • AzureAd logon must support device key for legacy DPAPI

This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).

mimikatz # sekurlsa::cloudap

The following screenshot was borrowed from this tweet:

Azure session key dump
PreviousbootkeyNextcredman

Last updated