Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery

Presented at DEF CON 33 (2025), Aug. 9, 2025, 11:30 a.m. (45 minutes).

While the theft of Primary Refresh Token (PRT) cookies on Windows has been extensively studied, similar attacks on macOS remain unexplored. As organizations increasingly use Microsoft Intune to manage both Windows and macOS devices, a critical question arises: can attackers also extract PRT cookies from macOS? In this talk, we present our research into Microsoft’s SSO implementation within the Intune Company Portal for macOS. We compare authentication flows and security controls between Windows and macOS, exposing weaknesses that allow attackers to bypass process validation and obtain authentication tokens under certain conditions. Another obstacle for attackers has been Microsoft’s efforts to make it more difficult to register new devices using stolen credentials for persistence. Our research introduces a novel technique: once an attacker acquires a token with an MFA claim on the device, they can still register new devices and generate new tokens without concern for the original stolen token’s expiration. We will demonstrate PRT Cookie extraction on macOS and release a proof-of-concept tool, showing not only how credential theft techniques can now extend beyond Windows to macOS environments, but also how attackers can leverage these techniques for long-term persistence. References: - This research was inspired by these previous studies, which sparked our interest in investigating the theft of PRT cookies on macOS and exploring new persistence techniques. - This research inspired us to consider that macOS might be a valuable target for in-depth security analysis. - "Attacking Primary Refresh Tokens using their macOS implementation" [link](https://troopers.de/troopers24/talks/3vlccy/) - The theft of Windows PRT cookies led us to consider the possibility of conducting similar attacks on macOS. However, our investigation revealed that macOS implements more complex and robust security protections. - "Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms for Building Your Own PRT Cookie" [link](https://www.blackhat.com/asia-24/briefings/schedule/#bypassing-entra-id-conditional-access-like-apt-a-deep-dive-into-device-authentication-mechanisms-for-building-your-own-prt-cookie-37344) - This study helped us understand the state-of-the-art hardening measures that Microsoft has implemented to prevent the use of stolen credentials for registering new devices and platform credentials (Windows Hello for Business keys) - "(Windows) Hello from the other side" [link](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_TR23_final.pdf) - We did not discover this article until after we had identified the new persistence technique. From our perspective, Microsoft did not fix this vulnerability properly. However, Microsoft no longer considers our similar issue a vulnerability anymore. - "A valid Microsoft session can be abused to reset the user's password and remove multi-factor authentication (MFA) to take over an account." [link](https://bastionsecurity.co.nz/advisories/microsoft-account-takeover.html)

Presenters:

• Shang-De "HackerPeanutJohn" Jiang
  Shang-De Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.
• Dong-Yi "Kazma Ye" Ye
  Kazma is a university student from Taiwan and cybersecurity intern of CyCraft. His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic. He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation.
• Tung-Lin "Echo Lee" Lee
  Echo is a cybersecurity researcher at CyCraft Technology, specializing in network and cloud security. He has presented at industry conferences, including DEVCORECONF, HITCON ENT, ROOTCON, InfoSec Taiwan, and CyberSec.

Similar Presentations:

• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability
• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• DEF CON 32 (2024) / Abusing Windows Hello Without a Severed Hand