cloudap

sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:
Azure API does not verify ctx replay
Azure relies on symmetric keys
Software or TPM keys are "protected" by legacy DPAPI
AzureAd logon must support device key for legacy DPAPI
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
mimikatz # sekurlsa::cloudap
The following screenshot was borrowed from this tweet:
Azure session key dump
bootkey
credman
Last modified 1yr ago