Az - Processes Memory Access Token
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
As explained in this video, some Microsoft software synchronized with the cloud (Excel, Teams...) might store access tokens in clear-text in memory. So just dumping the memory of the process and grepping for JWT tokens might grant you access over several resources of the victim in the cloud bypassing MFA.
Steps:
Dump the excel processes syncronized with in EntraID user with your favourite tool.
Run: string excel.dmp | grep 'eyJ0'
and find several tokens in the output
Find the tokens that interest you the most and run tools over them:
Note that these kind of access tokens can be also found inside other processes.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)