主要的刷新令牌正在成为黑客的盗窃目标

如果您还没有足够关注，那么一种新型的访问控制令牌，例如类固醇上的超级浏览器令牌，正在成为黑客的盗窃目标。

If you haven’t been paying attention closely enough, a new type of access control token, like a super browser token on steroids, is becoming hackers' theft target of choice. It is known as a primary refresh token. In the Microsoft ecosystem, it’s the king of tokens.

如果您还没有足够关注，那么一种新型的访问控制令牌，例如类固醇上的超级浏览器令牌，正在成为黑客的盗窃目标。它被称为主要的刷新令牌。在微软生态系统中，它是代币的国王。

Most access control tokens give users access to a single application, service, or site. If I use my browser to successfully login to an app/service/site, my browser will get a browser “cookie,” which is just a text file usually containing a randomly generated session ID, that gives that browser continued access to that app/service/site without having to re-logon again for a preset number of days or weeks.

大多数访问控制令牌可让用户访问单个应用程序，服务或站点。如果我使用浏览器成功登录到应用程序/服务/站点，我的浏览器将获得浏览器“ cookie”，这只是一个通常包含随机生成的会话ID的文本文件，这使该浏览器继续访问该应用程序/服务/站点，而无需再次重新访问预设的天数或几周或几周。

My browser gets a separate access control token cookie for each app/service/site I successfully log on to. Most of us, if we go to our cookie directory, will see hundreds of cookies.

我的浏览器将为我成功登录的每个应用程序/服务/站点提供一个单独的访问控制令牌cookie。如果我们去饼干目录，我们大多数人都会看到数百个cookie。

Hackers and their malware creations love to steal our browser cookies because they act as “bearer tokens.” Whoever has them is essentially seen as us to that app/service/site. Here is a great demo created by the late, great Kevin Mitnick (our former Chief Hacking Officer and owner) on a cookie being stolen and reused.

黑客及其恶意软件的创作喜欢偷走我们的浏览器饼干，因为它们充当“持有人令牌”。拥有它们的人本质上被视为我们的应用程序/服务/网站。这是由已故的伟大的凯文·米特尼克（Kevin Mitnick）（我们的前首席黑客官和所有者）在被盗和重复使用的饼干上创建的。

Hackers love cookie theft because it can work whether you are using a password, multi-factor authentication (MFA), biometrics, or some other super-duper authentication method. If the hacker gets your access control token cookie, it’s game over…for you and the involved app/site/service.

黑客喜欢cookie盗窃，因为无论您使用密码，多因素身份验证（MFA），生物识别技术还是其他其他超级duper身份验证方法，都可以使用。如果黑客获取您的访问控制令牌cookie，则可以为您和所涉及的应用程序/站点/服务而进行游戏。

Hackers have been stealing browser cookies for decades, and just now some organizations, like Google, are trying to come up with ways to better protect them, such as device-bound cookies. Still, importantly, none of the existing cookie protections are all that great. Most can still be easily circumvented by hackers. Your cookies are still very valuable to any hacker who has them.

数十年来，黑客一直在窃取浏览器cookie，而现在一些组织（例如Google）试图提出更好地保护它们的方法，例如设备有限的cookie。尽管如此，重要的是，现有的饼干保护措施都不那么伟大。大多数人仍然很容易被黑客规避。对于任何拥有它们的黑客，您的饼干仍然非常有价值。

Most cybersecurity defenders have understood our cookie problem. What most defenders are not aware of is Microsoft’s new primary refresh tokens, which are sort of like an access control token cookie on steroids.

大多数网络安全防御者都了解我们的饼干问题。大多数防守者都不知道的是微软的新主要刷新令牌，它有点像类固醇上的访问控制令牌cookie。

What is a Primary Refresh Token?In short, it’s a Microsoft-only invention used in Microsoft ecosystems (AFAIK) that allows a user or device to access multiple apps/services/sites at once (i.e., Single-Sign-On) and usually for extended periods of time. They’ve been around since at least 2020, but are gaining in popularity.

什么是主要的刷新令牌？简而言之，这是Microsoft生态系统（AFAIK）中使用的仅使用Microsoft的发明，它允许用户或设备一次访问多个应用程序/服务/站点（即单端签名），通常是长时间的。他们至少从2020年开始就一直存在，但越来越受欢迎。

Microsoft describes them this way:

微软以这种方式描述了他们：

“A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra [formerly Microsoft Azure AD] authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It's a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices.

“主要的刷新令牌（PRT）是Microsoft Entra [以前是Microsoft Azure AD]的关键工件，在Windows 10或更新的Windows Server 2016及以后的版本，iOS和Android设备上。这是一个专门发送给Microsoft第一方代币经纪人的JSON Web令牌（JWT），可在这些设备上使用的应用程序中启用单登录（SSO）。

In this article, provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices. We recommend using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.”

在本文中，提供了有关如何在Windows 10或更新设备上发出，使用和保护PRT的详细信息。我们建议使用Windows 10，Windows 11和Windows Server 2019+的最新版本来获得最佳的SSO体验。”

When you logon to a Microsoft ecosystem, especially using a device officially “registered” with Microsoft Entra, a primary refresh token could/will be issued to your user for a particular device. It contains your device ID and an encrypted session symmetric key.

当您登录Microsoft生态系统时，尤其是使用Microsoft Entra正式“注册”的设备时，可以/将向您的用户发出特定设备的主要刷新令牌。它包含您的设备ID和一个加密的会话对称键。

When you log in to the Microsoft ecosystem (e.g., Microsoft Entra, Microsoft O365, etc.), your Microsoft Windows 10/Microsoft Windows Server 2016 or later device will communicate with the Windows Cloud Authentication Provider. The Microsoft Entra plug-in will validate your credentials (e.g., password, MFA, Windows Hello, etc.) and return a primary refresh token and the included session key.

当您登录到Microsoft生态系统（例如Microsoft Entra，Microsoft O365等）时，您的Microsoft Windows 10/Microsoft Windows Server 2016或更高版本设备将与Windows Cloud cloud Autherationical Provider通信。 Microsoft Entra插件将验证您的凭据（例如，密码，MFA，Windows Hello等），并返回主刷新令牌和随附的会话密钥。

Windows will encrypt the session key with the Trusted Platform Module (TPM) chip encryption key (if available) and then store it locally using Windows Local Security Authority Subsystem Service (LSASS), where Microsoft stores and processes a lot of authentication info.

Windows将使用受信任的平台模块（TPM）CHIP加密密钥（如果有）加密会话密钥，然后使用Windows Local Security Authority Authority Subsystem Service（LSASS）在本地存储它，其中Microsoft存储并处理大量身份验证信息。

You can see if you and your device have a primary refresh token is present on a device running the following command in a command prompt:

您可以查看您和设备是否具有主刷新令牌，在命令提示符中运行以下命令的设备上存在：

dsregcmd /status and then ENTER.

dsregcmd /status，然后输入。

Find the "SSO state" section and look for the "AzureAdPrt" value. It will be set to "YES" if you have a primary refresh token or "NO" if you don’t. The session key is the “bearer token.” There is currently no way to see “inside” a primary refresh token the way you can a browser cookie. You could be issued multiple primary refresh tokens, one for each user work account registered to the device.

找到“ SSO状态”部分，并查找“ Azureadprt”值。如果您没有主要的刷新令牌或“否”，则将设置为“是”。会话密钥是“携带者令牌”。当前，目前尚无以浏览器cookie的方式看到“内部”主要刷新令牌。您可能会发出多个主要刷新令牌，每个用户工作帐户都注册到设备。

An issued primary refresh token is good for two weeks (14 days) and continuously renewed every 4 hours as long as the related user is active on

发行的主要刷新令牌是有效的两个星期（14天），并且只要相关用户活跃，每4小时就会连续续签一次