Diving into Azure Lateral Movement with Pass-the-PRT

One of the most concerning attack methods I’ve come across recently is ‘Pass-the-PRT.’ It’s not the most likely of cyberattacks, but if successful – your organization’s security is in trouble. And that’s precisely what makes it dangerous—it leverages legitimate authentication processes, blending into normal network activity, making it hard to detect.

I saw this firsthand while testing an Azure environment for lateral movement vulnerabilities. An attacker had been moving across systems for days using a stolen primary refresh token (PRT). Because they didn’t need to reauthenticate, their access looked legitimate, slipping past detection. It was a reminder of how easy it is for attackers to stay hidden once they gain a foothold—and how this kind of attack can cause significant operational disruptions and damage an organization’s reputation if not caught early.

What is the Pass-the-PRT Technique?

Before we dive into the specifics of Pass-the-PRT, it’s important to understand the concept of primary refresh tokens (PRTs). In cloud-based authentication, PRTs play a crucial role in maintaining user trust. After a user successfully authenticates, two types of tokens are issued: an initial access token and a primary refresh token. The access token grants temporary access to cloud resources and expires after a short period. Meanwhile, the primary refresh token allows the system to obtain new access tokens for the user without requiring them to enter their login credentials repeatedly.

How Does the Pass-the-PRT Attack Unfold?

Pass-the-PRT attacks usually play out in three key stages:

1. Initial Compromise: The attack begins with the attacker gaining initial access to a device within the target environment. This can happen in a few ways—most commonly through phishing, malware, or exploiting an unpatched vulnerability.
2. PRT Extraction:  Once the attacker has their initial foothold, they focus on one goal: getting access to the primary refresh token (PRT). Typically, PRTs are securely stored within Windows Credentials Manager or similar secure storage mechanisms. These tokens are protected by encryption and other security measures, but attackers employ sophisticated techniques to bypass these protections and extract the PRT. In some cases, they exploit weaknesses in the system’s security protocols or use privilege escalation to access these tokens.
3. Lateral Movement: Armed with the extracted PRT, the attacker can continuously request new access tokens without needing to re-authenticate. This allows them to move laterally within the network, accessing all applications available to the compromised user. Additionally, attackers can generate PRT cookies to authenticate as the Azure AD user, gaining access to cloud resources and services with the same permissions as the legitimate user.

Why Pass-the-PRT Attacks Are So Elusive?

Pass-the-PRT attacks are particularly challenging to detect because they exploit legitimate Single Sign-On (SSO) tokens, blending in with the normal activity of real users. Since the attacker isn’t bypassing security or brute-forcing credentials but rather using an existing PRT, most traditional monitoring tools have difficulty distinguishing this from legitimate user behavior.  Security tools typically look for anomalies—suspicious logins, failed access attempts, or unusual behavior patterns. With Pass-the-PRT, none of those signals are present. The attacker uses a valid token, making it look like the authorized user is accessing the resources.

Minimizing the Risk: How to Protect Your Organization from PRT Attacks

Prevention

The first step in protecting your organization is to block initial access. Attackers can’t steal a PRT if they can’t get into the environment in the first place. Regular security testing in the form of pentesting and red-teaming exercises can help by identifying potential initial access before an attacker can exploit them, allowing your team to take corrective action. For instance, by leveraging the MITRE ATT&CK matrix to test your defenses, you can gain a deeper understanding of your security posture and pinpoint areas for improvement—

Detection

Ensure that even if an attacker gains initial access to your network, you can detect a Pass-the-PRT attack through the following measures:

Monitor for Unusual Token Use Patterns

• Multiple Locations or Devices: Track PRT usage from multiple geographical locations or from different devices in a short timeframe. If a PRT is used from locations that are physically impossible (e.g., one location in New York and another in Tokyo within minutes), this may indicate an attack.

• Unusual Access Times: Detecting PRT usage outside of normal working hours or during unusual periods of time may signal suspicious behavior.

Monitor for Suspicious IP Addresses

PRT attacks often come from suspicious or known bad IP addresses. Use threat intelligence feeds and IP reputation services to flag connections from blacklisted or high-risk IP ranges.

Anomalous User Behavior Detection

User Behavior Analytics (UBA): Implement machine learning or rule-based systems to detect anomalies in user behavior. For example, a user suddenly accessing services they don’t normally use or from different locations can trigger alerts for potential misuse of PRTs.

Continuous Access Evaluation (CAE)

Use Continuous Access Evaluation to monitor for risky session behavior, such as session hijacking or unusual changes in access patterns. CAE-enabled systems can instantly revoke tokens when suspicious activity is detected, reducing the risk window of a compromised PRT.

SIEM and Identity Protection Tools

• Security Information and Event Management (SIEM): These tools can correlate events across your infrastructure. They analyze authentication logs, PRT issuance logs, and token usage data to flag potential Pass-the-PRT attacks.
• Microsoft Identity Protection: If using Azure AD, tools like Azure AD Identity Protection can provide real-time risk detection and alert you if a token appears to be compromised or misused.

Monitor Token Issuance Logs

Regularly audit token issuance logs to detect anomalies, such as multiple token issuances in a short period for the same user or issuances from unexpected devices or IP addresses.

Detect Token Replay

Monitoring for replayed tokens can be a red flag, as PRT tokens are intended for single-use or short-lived sessions. Any replay of tokens might indicate unauthorized token use or interception.

Minimize the Blast Radius

Ensure that potential damage is minimized in the event of this attack. This can be achieved by enforcing the principle of least privilege using role-based access control (RBAC) and fine-tuning your permissions. A robust Identity Access Management (IAM) strategy can dramatically reduce lateral movement opportunities, especially for critical systems. By tightly controlling access, you can significantly limit the impact of a compromised account, safeguarding your most critical assets.

Response and Remediation

If an attack is detected, immediate action is key. Disable the compromised device in Azure AD as soon as possible and re-provision it with new credentials. You should also update the refresh token properties to invalidate any tokens the attacker may have stolen. Changing passwords and forcing reauthentication across the environment ensures that the attacker’s access is cut off quickly, stopping lateral movement in its tracks. As a strategic approach, it’s recommended to include this scenario in your incident response playbook and exercise it regularly as part of your incident response plan to ensure swift and effective action during real incidents.

Final Thoughts on Pass-the-PRT

Pass-the-PRT is a sophisticated lateral movement technique that poses a significant threat once an attacker has gained initial access to your environment. At the end of the day, it’s about being proactive. Make security testing a part of your business continuity strategy, and take time to evaluate how your defenses stand up to threats like these. The more you test and understand your weaknesses, the better prepared you’ll be when an actual attack comes.