Az - Pass the Cookie

Support HackTricks and get benefits!

Why Cookies?

Browser cookies are a great mechanism to bypass authentication and MFA. Because the user has already authenticated in the application, the session cookie can just be used to access data as that user, without needing to re-authenticate.
You can see where are browser cookies located in:


The challenging part is that those cookies are encrypted for the user via the Microsoft Data Protection API (DPAPI). This is encrypted using cryptographic keys tied to the user the cookies belong to. You can find more information about this in:
With Mimikatz in hand, I am able to extract a user’s cookies even though they are encrypted with this command:
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
For Azure, we care about the authentication cookies including ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT. You can see those are there because the user has been active on Azure lately:
Just navigate to and add the cookie ESTSAUTHPERSISTENT (generated by “Stay Signed In” option) or ESTSAUTH. And you will be authenticated.


Support HackTricks and get benefits!