sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:
  • Azure API does not verify ctx replay
  • Azure relies on symmetric keys
  • Software or TPM keys are "protected" by legacy DPAPI
  • AzureAd logon must support device key for legacy DPAPI
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
mimikatz # sekurlsa::cloudap
The following screenshot was borrowed from this tweet:
Azure session key dump
Last modified 2yr ago