When connecting to Azure using, for example, the PowerShell Az module, a JSON Web Token is created and sometimes stored in plain text on disk and memory. I will show where to find the JSON Web Tokens on disk in this blog post, including a tool I wrote to get JSON Web Tokens from memory that contains the JSON Web Tokens, including those found on disk.
JSON Web Tokens
To securely exchange information between parties, authenticating and authorizing a JSON Web Token is commonly used.
A JSON Web Token encodes any sets of identity claims into a payload, including a header that contains how it is to be signed.
The client authenticates to an Identity Provider, and the Identity Provider creates and signs, using a private key, a JSON Web Token. When the client connects to a service, it provides the signed JSON Web Token. The service validates the token using the public key of the Identity Provider and authenticates the client.
Let us look at a JSON Web Token example:
The encoded part consists of three parts: A header, a payload, and a verify signature. If you tamper with the header or payload, the signature is not valid, and the token becomes invalid.
So, in short, having a valid JSON Web Token is the key to the kingdom.
HistorySavePath
The first and most obvious path to look for JSON Web Tokens is the HistorySavePath.
HistorySavePath is a setting that saves all PowerShell console history. When a user or admin connects to Azure using PowerShell, the command is stored to file in plain text.
Note: Since HistorySavePath loads when PowerShell starts, “Microsoft JSON Web Token Extractor” also displays these tokens.
User Profile
Depending on how a user or admin connects to Azure, the following JSON files contains the JSON Web Token in plain text:
Note: Since the JSON files load when PowerShell starts, “Microsoft JSON Web Token Extractor” also displays these tokens.
Script Block Logging
Script Block Logging saves blocks of code as PowerShell executes them. When a user or admin runs the following command in PowerShell and Script Block Logging is enabled, the event viewer contains the JSON Web Token.
Note: Script Block Logging setting is disabled by default but enabled by many companies due to monitoring.
Microsoft JSON Web Token Extractor
A JSON Web Token is created in memory when connecting to Azure using PowerShell using the following command:
I wondered if I could extract the JSON Web Token from memory without dumping anything on disk to avoid a trigger from any Endpoint Detection and Response solution.
The result is a C# tool to extract all JSON Web Tokens found in memory used by PowerShell, including those found on disk.
Conclusion
My idea was to jump from on-premises to the cloud without dumping the process to disk using standard tools. The token still needs to be valid, and a user or an admin needs to connect to Azure using PowerShell, but if they do, an attacker can connect to the cloud without touching any other device in the network and stay low-profile.
Microsoft Security Blog 