# Pass the Cookie

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file.

The cookies are encrypted so we need to decrypt them based on the browser that stores them; for demonstration's sake we'll imagine that the victim user is using Chrome (a quite possible scenario): in this case we'll need

* the Chrome decryption key, stored at `%appdata%\Local\Google\Chrome\User Data\Default\Local State`
* the `CryptUnprotectDataAPI` to access the login details stored at `%appdata%\Google\Chrome\User Data\Default\Login Data`

To decrypt the login information we'll use [this](https://github.com/byt3bl33d3r/OffensiveNim/blame/master/src/chrome_dump_bin.nim) script (it's NIM, get over it).

```
PS /home/otter> nim.exe r chrome_dump_bin.nim > user.cookie
```

Once the tool has extracted the ESTSAUTH cookie we can use it to authenticate in the browser.