主要的刷新令牌正在成為黑客的盜竊目標

如果您還沒有足夠關注，那麼一種新型的訪問控制令牌，例如類固醇上的超級瀏覽器令牌，正在成為黑客的盜竊目標。

If you haven’t been paying attention closely enough, a new type of access control token, like a super browser token on steroids, is becoming hackers' theft target of choice. It is known as a primary refresh token. In the Microsoft ecosystem, it’s the king of tokens.

如果您還沒有足夠關注，那麼一種新型的訪問控制令牌，例如類固醇上的超級瀏覽器令牌，正在成為黑客的盜竊目標。它被稱為主要的刷新令牌。在微軟生態系統中，它是代幣的國王。

Most access control tokens give users access to a single application, service, or site. If I use my browser to successfully login to an app/service/site, my browser will get a browser “cookie,” which is just a text file usually containing a randomly generated session ID, that gives that browser continued access to that app/service/site without having to re-logon again for a preset number of days or weeks.

大多數訪問控制令牌可讓用戶訪問單個應用程序，服務或站點。如果我使用瀏覽器成功登錄到應用程序/服務/站點，我的瀏覽器將獲得瀏覽器“ cookie”，這只是一個通常包含隨機生成的會話ID的文本文件，這使該瀏覽器繼續訪問該應用程序/服務/站點，而無需再次重新訪問預設的天數或幾週或幾週。

My browser gets a separate access control token cookie for each app/service/site I successfully log on to. Most of us, if we go to our cookie directory, will see hundreds of cookies.

我的瀏覽器將為我成功登錄的每個應用程序/服務/站點提供一個單獨的訪問控制令牌cookie。如果我們去餅乾目錄，我們大多數人都會看到數百個cookie。

Hackers and their malware creations love to steal our browser cookies because they act as “bearer tokens.” Whoever has them is essentially seen as us to that app/service/site. Here is a great demo created by the late, great Kevin Mitnick (our former Chief Hacking Officer and owner) on a cookie being stolen and reused.

黑客及其惡意軟件的創作喜歡偷走我們的瀏覽器餅乾，因為它們充當“持有人令牌”。擁有它們的人本質上被視為我們的應用程序/服務/網站。這是由已故的偉大的凱文·米特尼克（Kevin Mitnick）（我們的前首席黑客官和所有者）在被盜和重複使用的餅乾上創建的。

Hackers love cookie theft because it can work whether you are using a password, multi-factor authentication (MFA), biometrics, or some other super-duper authentication method. If the hacker gets your access control token cookie, it’s game over…for you and the involved app/site/service.

黑客喜歡cookie盜竊，因為無論您使用密碼，多因素身份驗證（MFA），生物識別技術還是其他其他超級duper身份驗證方法，都可以使用。如果黑客獲取您的訪問控制令牌cookie，則可以為您和所涉及的應用程序/站點/服務而進行遊戲。

Hackers have been stealing browser cookies for decades, and just now some organizations, like Google, are trying to come up with ways to better protect them, such as device-bound cookies. Still, importantly, none of the existing cookie protections are all that great. Most can still be easily circumvented by hackers. Your cookies are still very valuable to any hacker who has them.

數十年來，黑客一直在竊取瀏覽器cookie，而現在一些組織（例如Google）試圖提出更好地保護它們的方法，例如設備有限的cookie。儘管如此，重要的是，現有的餅乾保護措施都不那麼偉大。大多數人仍然很容易被黑客規避。對於任何擁有它們的黑客，您的餅乾仍然非常有價值。

Most cybersecurity defenders have understood our cookie problem. What most defenders are not aware of is Microsoft’s new primary refresh tokens, which are sort of like an access control token cookie on steroids.

大多數網絡安全防御者都了解我們的餅乾問題。大多數防守者都不知道的是微軟的新主要刷新令牌，它有點像類固醇上的訪問控制令牌cookie。

What is a Primary Refresh Token?In short, it’s a Microsoft-only invention used in Microsoft ecosystems (AFAIK) that allows a user or device to access multiple apps/services/sites at once (i.e., Single-Sign-On) and usually for extended periods of time. They’ve been around since at least 2020, but are gaining in popularity.

什麼是主要的刷新令牌？簡而言之，這是Microsoft生態系統（AFAIK）中使用的僅使用Microsoft的發明，它允許用戶或設備一次訪問多個應用程序/服務/站點（即單端簽名），通常是長時間的。他們至少從2020年開始就一直存在，但越來越受歡迎。

Microsoft describes them this way:

微軟以這種方式描述了他們：

“A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra [formerly Microsoft Azure AD] authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It's a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices.

“主要的刷新令牌（PRT）是Microsoft Entra [以前是Microsoft Azure AD]的關鍵工件，在Windows 10或更新的Windows Server 2016及以後的版本，iOS和Android設備上。這是一個專門發送給Microsoft第一方代幣經紀人的JSON Web令牌（JWT），可在這些設備上使用的應用程序中啟用單登錄（SSO）。

In this article, provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices. We recommend using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.”

在本文中，提供了有關如何在Windows 10或更新設備上發出，使用和保護PRT的詳細信息。我們建議使用Windows 10，Windows 11和Windows Server 2019+的最新版本來獲得最佳的SSO體驗。”

When you logon to a Microsoft ecosystem, especially using a device officially “registered” with Microsoft Entra, a primary refresh token could/will be issued to your user for a particular device. It contains your device ID and an encrypted session symmetric key.

當您登錄Microsoft生態系統時，尤其是使用Microsoft Entra正式“註冊”的設備時，可以/將向您的用戶發出特定設備的主要刷新令牌。它包含您的設備ID和一個加密的會話對稱鍵。

When you log in to the Microsoft ecosystem (e.g., Microsoft Entra, Microsoft O365, etc.), your Microsoft Windows 10/Microsoft Windows Server 2016 or later device will communicate with the Windows Cloud Authentication Provider. The Microsoft Entra plug-in will validate your credentials (e.g., password, MFA, Windows Hello, etc.) and return a primary refresh token and the included session key.

當您登錄到Microsoft生態系統（例如Microsoft Entra，Microsoft O365等）時，您的Microsoft Windows 10/Microsoft Windows Server 2016或更高版本設備將與Windows Cloud cloud Autherationical Provider通信。 Microsoft Entra插件將驗證您的憑據（例如，密碼，MFA，Windows Hello等），並返回主刷新令牌和隨附的會話密鑰。

Windows will encrypt the session key with the Trusted Platform Module (TPM) chip encryption key (if available) and then store it locally using Windows Local Security Authority Subsystem Service (LSASS), where Microsoft stores and processes a lot of authentication info.

Windows將使用受信任的平台模塊（TPM）CHIP加密密鑰（如果有）加密會話密鑰，然後使用Windows Local Security Authority Authority Subsystem Service（LSASS）在本地存儲它，其中Microsoft存儲並處理大量身份驗證信息。

You can see if you and your device have a primary refresh token is present on a device running the following command in a command prompt:

您可以查看您和設備是否具有主刷新令牌，在命令提示符中運行以下命令的設備上存在：

dsregcmd /status and then ENTER.

dsregcmd /status，然後輸入。

Find the "SSO state" section and look for the "AzureAdPrt" value. It will be set to "YES" if you have a primary refresh token or "NO" if you don’t. The session key is the “bearer token.” There is currently no way to see “inside” a primary refresh token the way you can a browser cookie. You could be issued multiple primary refresh tokens, one for each user work account registered to the device.

找到“ SSO狀態”部分，並查找“ Azureadprt”值。如果您沒有主要的刷新令牌或“否”，則將設置為“是”。會話密鑰是“攜帶者令牌”。當前，目前尚無以瀏覽器cookie的方式看到“內部”主要刷新令牌。您可能會發出多個主要刷新令牌，每個用戶工作帳戶都註冊到設備。

An issued primary refresh token is good for two weeks (14 days) and continuously renewed every 4 hours as long as the related user is active on

發行的主要刷新令牌是有效的兩個星期（14天），並且只要相關用戶活躍，每4小時就會連續續簽一次