Stealing the Keys to the Cloud: SpecterBroker Unveils the Secrets of Windows Token Broker

SpecterBroker

Advanced Windows authentication token extraction and decryption tool for red team operations and security research.

SpecterBroker is a comprehensive post-exploitation tool designed for extracting and decrypting Windows authentication tokens from multiple sources. It targets the Windows Authentication Manager (WAM), Token Broker cache (TBRes), and related authentication subsystems to retrieve Access Tokens, Refresh Tokens, ID Tokens, and NGC (Next Generation Credentials) tokens.The tool generates Json files that can be imported into the SpecterPortal tool to fully manage EntraID environments and Azure Resources!

This tool is specifically designed for:

• Red Team Operations: Token extraction during authorized penetration testing
• Security Research: Understanding Windows authentication mechanisms
• DFIR Analysis: Forensic investigation of authentication artifacts
• Educational Purposes: Learning about Windows credential storage

• Unified Extraction: Combines multiple token extraction techniques in a single tool
• DPAPI Decryption: Automatic decryption of protected token caches using Windows DPAPI
• Multiple Formats: Supports both TBRes and WAM cache formats
• FOCI Detection: Identifies Family of Client IDs (FOCI) enabled tokens
• Metadata Extraction: Retrieves UPN, tenant ID, client ID, scopes, and expiration data
• Office Master Tokens: Detects high-value Office 365 master tokens

• TBRes Cache Extraction – Decrypts .tbres files from TokenBroker cache
• WAM Cache Extraction – Processes AAD BrokerPlugin cached authentication data
• DPAPI Decryption – Leverages Windows DPAPI for automatic token decryption
• JWT Parsing – Extracts and parses JSON Web Tokens (Access & ID tokens)
• Refresh Token Extraction – Retrieves Microsoft v1 Refresh Tokens (1.AV0A format)
• NGC Token Support – Extracts Next Generation Credentials tokens
• FOCI Detection – Identifies Family of Client IDs enabled applications
• Metadata Enrichment – Extracts UPN, tenant ID, client ID, scopes, expiration

• Automatic Deduplication – Intelligent token deduplication across cache files
• Json Output compatible with SpecterPortal – Json files that can be imported into the SpecterPortal tool
• Expiration Filtering – Automatically skips expired access tokens
• Office Master Detection – Flags high-value Office 365 master tokens
• Recursive Processing – Scans entire cache directory structures
• Local User Scope – Operates with current user context (no elevation required)

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy