RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  1. Cloud
  2. Azure
  3. Initial Access

Family-Of-Client-Ids - FOCI

PreviousDevice Code PhishingNextJWT Assertion

Last updated 3 days ago

What is FOCI and Why It Matters: Azure uses FOCI to allow seamless token refreshes across Microsoft 365 apps (like Outlook, Teams, OneDrive) without repeatedly prompting the user to log in. It links multiple applications under a single refresh token family, enhancing usability—but this convenience introduces security risks.

Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. If you are in possesion of a capable refresh token you can use it to get access tokens to all known . Since the refresh-token also contains the information if the user has done multi-factor authentication you can use this. Once you have a user's access token, it may be possible to access certain apps such as Outlook, SharePoint, OneDrive, MSTeams and more.

For instance, if you have a Graph or MSGraph refresh token, you can then connect to Azure and dump users, groups, etc. You could then, depending on conditional access policies, switch to an Azure Core Management token and run . Then, get an Outlook access token and read/send emails or MS Teams and read/send teams messages!

For more on Azure token types

Abusing this with TokenTactics

Invoke-RefreshToAzureCoreManagementToken
Invoke-RefreshToAzureKeyVaultToken
Invoke-RefreshToAzureManagementToken
Invoke-RefreshToAzureStorageToken
Invoke-RefreshToDeviceRegistrationToken
Invoke-RefreshToDODMSGraphToken
Invoke-RefreshToGraphToken
Invoke-RefreshToMAMToken
Invoke-RefreshToMSGraphToken
Invoke-RefreshToMSManageToken
Invoke-RefreshToMSTeamsToken
Invoke-RefreshToOfficeAppsToken
Invoke-RefreshToOfficeManagementToken
Invoke-RefreshToOneDriveToken
Invoke-RefreshToOutlookToken
Invoke-RefreshToSharePointToken
Invoke-RefreshToSubstrateToken
Invoke-RefreshToToken
Invoke-RefreshToYammerToken
FOCI (Family of Client IDs)
FOCI capable endpoints
AzureHound
Microsoft identity platform access tokens
LogoGitHub - rvrsh3ll/TokenTactics: Azure JWT Token Manipulation ToolsetGitHub