sekurlsa::cloudap lists Azure (Primary Refresh Token) credentials based on the following research: Digging further into the Primary Refresh Token. According to Benjamin:
- Azure API does not verify ctx replay
- Azure relies on symmetric keys
- Software or TPM keys are "protected" by legacy DPAPI
- AzureAd logon must support device key for legacy DPAPI
{% hint style="warning" %}
This command requires elevated privileges (by previously running privilege::debug or by executing Mimikatz as the NT-AUTHORITY\SYSTEM account).
{% endhint %}
mimikatz # sekurlsa::cloudap
The following screenshot was borrowed from this tweet:
.png)