2024-09-05 –, Main track
While Microsoft Entra Primary Refresh Tokens remain mostly undocumented, on Windows there has been quite some research in how they work and how they can be attacked or protected. Despite several hiccups (read: vulnerabilities) in getting there, the implementation is now mostly secure if you have a Trusted Platform Module (TPM). On other platforms, the Primary Refresh Token is also used but its implementation is undocumented. We decided to investigate how Microsoft implemented Primary Refresh Tokens on MacOS, how they are protected and how hard (or easy) it is for attackers to steal them. During the investigation, we encountered more undocumented protocol features, leading to the discovery of deviceless Primary Refresh Tokens (PRTs). These deviceless PRTs, which as the name implies are only tied to a user and not a device. In some environments this might already be enough for an attacker to achieve their goal, since these PRTs could be obtained during phishing.
In this session, we will talk about the PRT internals, their protection on MacOS, and on the current and new PRT implementation Microsoft introduced using the Platform SSO capabilities.
While Microsoft Entra Primary Refresh Tokens remain mostly undocumented, on Windows there has been quite some research in how they work and how they can be attacked or protected. Despite several hiccups (read: vulnerabilities) in getting there, the implementation is now mostly secure if you have a Trusted Platform Module (TPM). On other platforms, the Primary Refresh Token is also used but its implementation is undocumented. We decided to investigate how Microsoft implemented Primary Refresh Tokens on MacOS, how they are protected and how hard (or easy) it is for attackers to steal them. During the investigation, we encountered more undocumented protocol features, leading to the discovery of deviceless Primary Refresh Tokens (PRTs). These deviceless PRTs, which as the name implies are only tied to a user and not a device. In some environments this might already be enough for an attacker to achieve their goal, since these PRTs could be obtained during phishing.
In this session, we will talk about the PRT internals, their protection on MacOS, and on the current and new PRT implementation Microsoft introduced using the Platform SSO capabilities.
Olaf is a defensive specialist and security researcher at FalconForce and specialize in understanding the attacker tradecraft and thereby improving detection.
Dirk-jan Mollema is a hacker and researcher of Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.