Revolutionizing Red Teaming: Secure Passkey Generation from ESTSAUTH Cookies with Azure Key Vault – A Game Changer for Pentesters + Video

Listen to this Post

Featured Image

Introduction:

ESTSAUTH cookies are the silent guardians of Microsoft authentication—capturing them during a red team operation can open doors to persistent access, but handling these credentials securely has always been a challenge. Nathan McNulty’s latest innovation shifts the paradigm by integrating Azure Key Vault into the passkey creation process, ensuring that sensitive cryptographic material never touches disk and is managed with enterprise-grade security controls. This article dissects the technical workflow, provides a hands‑on guide to deploying the solution, and explores why this approach is a must‑have for modern penetration testers.

Learning Objectives:

  • Understand the role of ESTSAUTH cookies in Azure AD authentication and how they can be leveraged for passkey generation.
  • Learn to provision and configure Azure Key Vault with the necessary cryptographic permissions.
  • Execute Nathan McNulty’s enhanced script to securely create software passkeys using cloud‑based key management.
  • Identify operational security best practices when integrating cloud HSM capabilities into red team tooling.

You Should Know:

  1. ESTSAUTH Cookies and Their Significance in Red Teaming
    ESTSAUTH (Enterprise Session Token Authentication) cookies are issued by Microsoft’s authentication services and are used to maintain session state across Azure AD‑integrated applications. For an attacker or red teamer, exfiltrating these cookies can lead to session hijacking or the creation of persistent access tokens. The traditional approach involved writing these secrets directly to disk or memory, creating a significant risk of detection and credential compromise.

Step‑by‑step: Manual extraction of ESTSAUTH cookies (for context)

  • On a compromised Windows host, use tools like Mimikatz or a custom PowerShell script to extract cookies from browser storage or LSASS.
  • Example PowerShell snippet to list cookies from Edge:
    Get-ChildItem -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Cookies" -ErrorAction SilentlyContinue
    
  • However, this raw extraction leaves the cookie exposed. The new method avoids this by immediately passing the cookie to Azure Key Vault.

2. Provisioning Azure Key Vault for Cryptographic Operations

Azure Key Vault acts as a Hardware Security Module (HSM) in the cloud, ensuring that private keys never leave the vault. To use it for passkey generation, you must create a vault and grant yourself the Key Vault Crypto Officer role, which permits key creation and cryptographic operations.

Prerequisites:

  • An active Azure subscription.
  • Azure CLI installed and authenticated (az login).

Step‑by‑step: Azure Key Vault setup

 Set variables
RESOURCE_GROUP="RedTeamRG"
LOCATION="eastus"
KEYVAULT_NAME="RedTeamPasskeyVault"

Create resource group
az group create --name $RESOURCE_GROUP --location $LOCATION

Create Key Vault (enable soft-delete and purge protection for safety)
az keyvault create \
--name $KEYVAULT_NAME \
--resource-group $RESOURCE_GROUP \
--location $LOCATION \
--enable-soft-delete true \
--enable-purge-protection true

Assign yourself the Key Vault Crypto Officer role
USER_OBJECT_ID=$(az ad signed-in-user show --query id -o tsv)
az role assignment create \
--assignee $USER_OBJECT_ID \
--role "Key Vault Crypto Officer" \
--scope $(az keyvault show --name $KEYVAULT_NAME --query id -o tsv)

After this, your account can create and manage keys inside the vault.

3. Deploying Nathan McNulty’s Secure Passkey Script

The script (available at https://lnkd.in/gpQsQ_Pz) replaces local key storage with Azure Key Vault. It accepts an ESTSAUTH cookie as input and generates a software passkey—an asymmetric key pair—where the private key is stored and used exclusively inside the vault. The script is likely written in Python and uses the Azure SDK.

Step‑by‑step: Running the script

  1. Clone the repository (assuming GitHub after resolving the short link):
    git clone https://github.com/NathanMcNulty/secure-passkey-estasauth.git
    cd secure-passkey-estasauth
    

2. Install dependencies:

pip install azure-identity azure-keyvault-keys requests

3. Set environment variables for authentication (avoid hardcoding secrets):

export AZURE_KEY_VAULT_URL="https://RedTeamPasskeyVault.vault.azure.net"
export ESTSAUTH_COOKIE="<your_extracted_cookie_value>"

4. Run the script:

python generate_passkey.py --cookie $ESTSAUTH_COOKIE --vault-url $AZURE_KEY_VAULT_URL

The script will:

  • Authenticate to Azure using your current CLI credentials.
  • Create a new RSA or EC key in the vault (e.g., named passkey-<timestamp>).
  • Use the ESTSAUTH cookie to derive or associate the passkey with the target session.
  • Output the public key or a reference ID that can be used later for authentication.

Verification:

List the keys in your vault to confirm creation:

az keyvault key list --vault-name $KEYVAULT_NAME --query "[].kid" -o tsv

Each key has a unique identifier (kid) that can be used in subsequent cryptographic operations without ever exposing the private material.

4. Operational Security and Best Practices

Using Azure Key Vault introduces both security benefits and operational considerations:
– Network isolation: Restrict access to the vault with IP firewalls and virtual network rules to ensure only your red team infrastructure can reach it.
– Audit logging: Enable Azure Monitor diagnostics to log all key operations—invaluable for after‑action reports and detecting misuse.
– Key rotation: The script can be extended to automatically rotate passkeys on a schedule or after each use, minimizing the impact of a compromised session.
– Avoiding cloud provider lock‑in: While the script currently targets Azure, the pattern can be adapted to other KMS solutions (AWS KMS, HashiCorp Vault) with minimal changes.

5. Troubleshooting Common Issues

  • Authentication failures: Ensure your Azure CLI is logged in and has the Key Vault Crypto Officer role. Test with `az keyvault key create` manually.
  • Cookie format: The ESTSAUTH cookie may require URL decoding or base64 conversion. Check the script’s expected input format.
  • Rate limiting: Azure Key Vault enforces transaction limits. If generating many passkeys, implement exponential backoff or use premium tier for higher throughput.

What Undercode Say:

  • Key Takeaway 1: Shifting cryptographic operations to a managed HSM like Azure Key Vault eliminates the risk of private key exposure on compromised endpoints—a critical upgrade for red team persistence mechanisms.
  • Key Takeaway 2: This integration demonstrates how red team tooling can evolve by leveraging cloud security primitives, blurring the line between attack simulation and enterprise defense best practices.

In an era where endpoint detection and response (EDR) tools aggressively hunt for credential dumping, storing passkeys outside the target environment provides a stealthier and more resilient foothold. However, operators must balance this with the operational overhead of cloud authentication and the potential for detection via anomalous API calls to Azure. The approach signals a broader trend: future red team frameworks will increasingly rely on cloud services for command‑and‑control and credential management, forcing defenders to monitor both internal and external telemetry.

Prediction:

Within the next 12 months, we will see a proliferation of red team tools that offload sensitive operations to cloud KMS and HSMs, driving a new arms race where defenders must correlate on‑premise activity with cloud control plane logs. This will push blue teams to integrate Azure Activity Logs, AWS CloudTrail, and similar sources into their SIEMs, and develop detection rules for anomalous cryptographic operations performed by non‑human identities.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nathanmcnulty If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky