A Beacon Object File (BOF) that obtains Microsoft Entra access and refresh tokens by launching a browser with an OAuth authorization code flow URL. This technique allows operators to keep all token exchange activities on the endpoint and circumvent conditional access policies.
Blog: Obtaining Microsoft Entra Refresh Tokens via Beacon
- Launches a new browser tab (via
CreateProcessA) with an OAuth authorization URL - Monitors window titles for the redirect containing the authorization code
- Exchanges the code for access and refresh tokens
- User must be authenticated to Entra ID in their browser (valid
ESTSAUTHcookies) - Client ID must have consent in the tenant
- Client ID must accept
https://login.microsoftonline.com/common/oauth2/nativeclientredirect URI
Load entra-authcode-flow.cna in Cobalt Strike (or the Python script for Outflank C2).
beacon> entra-authcode-flow <clientid> <scope> <browser> [email_hint]
beacon> entra-authcode-flow 1fec8e78-bce4-4aaf-ab1b-5451cc387264 "openid offline_access https://graph.microsoft.com/.default" 0 bob@example.com
- @freefirex: get_azure_token BOF - Original Azure token BOF implementation
- Secureworks: Family of Client IDs Research - Client IDs
- @_dirkjan: ROADtools First-Party Scopes - Microsoft first-party application scopes