WAM BAM – Recovering Web Tokens From Office

blog.xpnsec.com

You Should Know:

Recovering web tokens from Office applications can be critical for security assessments, penetration testing, and red team operations. Below are key techniques, commands, and steps to extract and analyze web tokens from Microsoft Office applications.

1. Extracting WAM (Web Account Manager) Tokens from Windows
   WAM stores authentication tokens for web accounts linked to Office applications. Use PowerShell to extract these tokens:

 List all WAM accounts 
Get-ChildItem "HKCU:\Software\Microsoft\IdentityCRL\UserExtendedProperties"

Extract token details 
$wamTokens = Get-ItemProperty -Path "HKCU:\Software\Microsoft\IdentityCRL\UserExtendedProperties\" 
$wamTokens | Select-Object PSChildName, TokenData 

2. Dumping Browser Cookies & Session Tokens

Office applications often interact with browsers for OAuth tokens. Use Chrome DevTools or SQLite to extract cookies:

 Linux/Mac (Chrome cookies path) 
cd ~/.config/google-chrome/Default/Cookies 
sqlite3 Cookies "SELECT  FROM cookies WHERE host_key LIKE '%microsoftonline.com%'" 

1. Using Procmon to Monitor Office Token Access
   • Download Process Monitor (Procmon) from Microsoft.
   • Filter for `WINWORD.EXE` or `EXCEL.EXE` and look for registry/key accesses related to IdentityCRL.

4. Mimikatz for Token Extraction (Red Team)

If you have elevated privileges, use Mimikatz to dump tokens:

mimikatz.exe 
token::elevate 
token::list 

5. Analyzing Office Add-ins for Token Leaks

Some Office add-ins store tokens insecurely. Check:

Get-ChildItem "$env:APPDATA\Microsoft\AddIns\" -Recurse | Select-String "token" 

What Undercode Say

Recovering web tokens from Office apps is a powerful technique for security professionals. Always ensure proper authorization before testing. Below are additional Linux and Windows commands for token analysis:

Linux Commands:

 Check active network connections (may reveal token exfiltration) 
netstat -tulnp

Search for cached tokens in temp files 
grep -r "access_token" /tmp/ 

Windows Commands:

 Check Office recent documents (may contain auth links) 
dir "%APPDATA%\Microsoft\Office\Recent\"

List running Office processes 
tasklist | findstr "WINWORD|EXCEL|OUTLOOK" 

Defensive Measures:

• Disable WAM token caching via Group Policy.
• Monitor registry accesses to `IdentityCRL` keys.
• Use Microsoft LAPS to limit local admin abuse.

Expected Output:

• Extracted WAM tokens from registry.
• Browser cookies containing OAuth tokens.
• Procmon logs showing token access patterns.
• Mimikatz output of elevated session tokens.

For deeper analysis, visit: blog.xpnsec.com.

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram