I made this client to test various features of Azure AD Identity Protection.
📑 Based on testing it requires some 10-30 days of data before any alerts will fire from replayed cookies
Example
Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks.
This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.
⚠ Only use this tool if you know what you are doing and have reviewed the code
⚠ Always test the tool first in test environments, with non-sensitive data
As the licenses says, 0% Liability 0% Warranty
Uses the ESTSAUTH cookie for non device-SSO flow (Device SSO cookies require different attributes in the requests)
- Sends mail to user
- Gets user mail settings
- Tries to list user Azure Subscriptions
- Uploads random data from randomuser.me/api to onedrive
-
Azure Cloud Shell opened in BASH
-
Run setup
curl -o- https://raw.githubusercontent.com/jsa2/aadcookiespoof/main/remote.sh | bash
From any browser perform fresh sign-in via https://office.com, then copy the FIRST occurence of ESTSAUTH cookie with fresh sign-in (use inPrivate browser to ensure no device flows are used, and no existing session is active)
(If you are doing MFA get the token from the /SAS/ProcessAuth -step)
Run following in bash to create the template
- paste the cookie contents to command
echo '[
{
"user":"mega",
"cookie":"ESTSAUTH=0.AU8Aob9...."
}
]' > cookies.json❌ This tool checks the cookie length to match that of expected before proceeding. Don't select "KMSI" when signing
Spoof
RUN
cd aadcookiespoof
node manual.js
