Stealing Access Tokens

Introduction

Dumping tokens from Microsoft Office desktop applications’ memory

Update: This only works against Microsoft 365 which is generally what organizations use. It will not work on Microsoft Office Professional Plus.

Update 2: Within a matter of days tools have already been built to dump Office desktop application tokens.

• OfficeMemScraper.ps1

• TokenFinder.py

• office_tokens BOF

Practical

Dumping the Memory of Office Application

Process Explorer

• Download and install process explorer

• Run process explorer

• Press ctrl+F and search for any office applications (Ex: One Note, Word, Excel, etc)

• Right click on the process

• Select Create Dump option from the menu

• Select Create full dump option from the drop down list

• Save the memory dump

Extract Access Tokens from Memory Dump

Strings

• Download and install strings application

• Navigate to the strings folder

• Run the below command

strings64.exe C:\Users\rohan\OneDrive\Desktop\ONENOTE.dmp | findstr /i eyJ0eX

FURTHER READING

• https://mrd0x.com/stealing-tokens-from-office-applications/

REFERENCES

• https://mrd0x.com/stealing-tokens-from-office-applications/

• https://learn.microsoft.com/en-us/graph/use-the-api

• https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/use-outlook-rest-api

• https://learn.microsoft.com/en-us/sysinternals/downloads/strings

• https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

• https://jwt.io/