Az - Processes Memory Access Token
Basic Information
As explained in this video, some Microsoft software synchronized with the cloud (Excel, Teams...) might store access tokens in clear-text in memory. So just dumping the memory of the process and grepping for JWT tokens might grant you access over several resources of the victim in the cloud bypassing MFA.
Steps:
Dump the excel processes syncronized with in EntraID user with your favourite tool.
Run:
string excel.dmp | grep 'eyJ0'
and find several tokens in the outputFind the tokens that interest you the most and run tools over them:
Note that these kind of access tokens can be also found inside other processes.
Last updated