Why Cookies?

Browser cookies are a great mechanism to bypass authentication and MFA. Because the user has already authenticated in the application, the session cookie can just be used to access data as that user, without needing to re-authenticate.

You can see where are browser cookies located in:

Attack

The challenging part is that those cookies are encrypted for the user via the Microsoft Data Protection API (DPAPI). This is encrypted using cryptographic keys tied to the user the cookies belong to. You can find more information about this in:

With Mimikatz in hand, I am able to extract a user’s cookies even though they are encrypted with this command:

mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit

For Azure, we care about the authentication cookies including ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT. Those are there because the user has been active on Azure lately.

Just navigate to login.microsoftonline.com and add the cookie ESTSAUTHPERSISTENT (generated by “Stay Signed In” option) or ESTSAUTH. And you will be authenticated.

References

• https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/