sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Tokenarrow-up-right. According to Benjaminarrow-up-right:
sekurlsa::cloudap
Azure API does not verify ctx replay
Azure relies on symmetric keys
Software or TPM keys are "protected" by legacy DPAPI
AzureAd logon must support device key for legacy DPAPI
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
privilege::debug
NT-AUTHORITY\SYSTEM
mimikatz # sekurlsa::cloudap
The following screenshot was borrowed from this tweetarrow-up-right:
Last updated 4 years ago
