Skip to main content

Pass the Cookie

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file.

The cookies are encrypted so we need to decrypt them based on the browser that stores them; for demonstration's sake we'll imagine that the victim user is using Chrome (a quite possible scenario): in this case we'll need

  • the Chrome decryption key, stored at %appdata%\Local\Google\Chrome\User Data\Default\Local State
  • the CryptUnprotectDataAPI to access the login details stored at %appdata%\Google\Chrome\User Data\Default\Login Data

To decrypt the login information we'll use this script (it's NIM, get over it).

PS /home/otter> nim.exe r chrome_dump_bin.nim > user.cookie

Once the tool has extracted the ESTSAUTH cookie we can use it to authenticate in the browser.