Pass the Cookie
If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file.
- the Chrome decryption key, stored at
%appdata%\Local\Google\Chrome\User Data\Default\Local State
- the
CryptUnprotectDataAPI
to access the login details stored at%appdata%\Google\Chrome\User Data\Default\Login Data
To decrypt the login information we'll use this script (it's NIM, get over it).
PS /home/otter> nim.exe r chrome_dump_bin.nim > user.cookie
Once the tool has extracted the ESTSAUTH cookie we can use it to authenticate in the browser.