Skip to content

sudonoodle/BOF-entra-authcode-flow

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Microsoft Entra Authcode Flow BOF

A Beacon Object File (BOF) that obtains Microsoft Entra access and refresh tokens by launching a browser with an OAuth authorization code flow URL. This technique allows operators to keep all token exchange activities on the endpoint and circumvent conditional access policies.

Blog: Obtaining Microsoft Entra Refresh Tokens via Beacon

image

How It Works

  1. Launches a new browser tab (via CreateProcessA) with an OAuth authorization URL
  2. Monitors window titles for the redirect containing the authorization code
  3. Exchanges the code for access and refresh tokens

Requirements

  • User must be authenticated to Entra ID in their browser (valid ESTSAUTH cookies)
  • Client ID must have consent in the tenant
  • Client ID must accept https://login.microsoftonline.com/common/oauth2/nativeclient redirect URI

Usage

Load entra-authcode-flow.cna in Cobalt Strike (or the Python script for Outflank C2).

beacon> entra-authcode-flow <clientid> <scope> <browser> [email_hint]
beacon> entra-authcode-flow 1fec8e78-bce4-4aaf-ab1b-5451cc387264 "openid offline_access https://graph.microsoft.com/.default" 0 bob@example.com

References

About

Beacon Object File (BOF) to obtain Entra tokens via authcode flow.

Resources

License

Stars

138 stars

Watchers

2 watching

Forks

Releases

No releases published

Contributors