The #TROOPERS25 ‘AD & Entra ID Security’ track was a blast – as was the whole conference 😉 – bringing together some of the smartest researchers in the field and a great audience of practitioners willing to share their experiences during the roundtable. The slides of the talks have been released in the interim on the TROOPERS website, but since many speakers published additional blogposts or released tools, we provide a compilation of resources from the track in the following.
See you folks next year at #TROOPERS26!
Jonas Bülow Knudsen – Breaking Boundaries: Unraveling AD Cross-Forest Attack Paths
Jonas spoke about the technical intricacies of forests, trusts and trust creation, plus their security implications. He gave an overview of attacks like TGT Delegation Abuse and SID History Spoofing and he then presented a novel attack vector which he called ‘Account Operators Replicating Trust Attack’ (AORTA). He concluded that attack paths can exist between forests even without trust, and that Account Operators, DNSAdmins and Incoming Forest Trust Builders should be Tier Zero. Also a new tool was presented, that allows to create/delete inbound Active Directory forest trusts with TGT delegation enabled, using native Windows LSA APIs.
Abstract: here
Slides: here
Tooling: Trustify
Blogpost: here
LinkedIn post: here
Related posts: here, here
Martin Haller – RBAC: The Shady Place Behind Basic Entra ID Security
Martin laid out that RBAC-related security issues are getting more interesting from an attacker perspective these days since other attack vectors become increasingly hard. He discussed in detail the RBAC implementations in Exchange, Azure, Intune etc. and their implementation pitfalls. Those can lead to priv escalations, to lateral movement, and to persistence, which he demonstrated with a number of demos.
Abstract: here
Slides: here
LinkedIn post: here
Related post: here
Yuya Chudo – Hopping Accross Devices: Expanding Lateral Movement through Pass-the-Certificate Attack
Yuya explained the intricacies of P2P certificates and how to weaponize them, plus details of authentication and negotiation in the PKU2U context. He released ‘EntraPassTheCert’, a tool which allows attackers to request P2P certificates in order compromise Entra-joined devices through SMB, RPC, RDP and WinRM. He concluded by laying out which specific mitigations work against individual attack paths.
Abstract: here
Slides: here
Tooling: EntraPassTheCert, new feature added to BAADTokenBroker
LinkedIn post: here
Related posts: here, here, here, here, here
Jorge de Almeida Pinto – Demystifying Managed Service Accounts: Unveiling Best Practices And Security Measures To Reduce Risk And Impact
Jorge presented the different generations of Managed Service Accounts (MSAs) with their respective limitations as for the protection they offer and the operational procedures around them. Particular focus was put on dMSAs in Server 2025, and – of course – the intricacies leading to BadSuccessor. On the defense side of things Jorge explained the role & protection of RODCs, that the KDS Root Key is not audited at all by default, and more generally which events to audit.
Abstract: here
Slides: here
LinkedIn post: here
Related post: here
Dr. Baptiste David & Tillmann Oßwald – Authenticating through Windows Hello for Business, a reverse engineering story
Baptiste and Till had performed heavy reverse engineering of Windows Hello for Business (WHfB) in the course of a project for the German BSI. In this talk they shared their learnings about the inner workings of WHfB, and they laid out several attack paths against the database storing the biometric data of users. They concluded with a demo how a local administrator can impersonate other users, and some mitigation advice.
Abstract: here
Slides: here
Blogposts: Windows Hello for Business – Past and Present Attacks
Windows Hello for Business – The Face Swap
Related posts: here, here
Priyank Nigam – Beyond LSASS: Cutting-Edge Techniques for Undetectable Threat Emulation
Priyank is a Senior Red Teamer at Microsoft, and in this talk he shared his perspective on post-exploitation techniques. He covered different types of tokens, with particular focus on PRTs, how to extract them and what an attacker can eventually do with them.
Abstract: here
Slides: here
LinkedIn post: here
Fabian Bader & Dirk-jan Mollema – Finding Entra ID CA Bypasses – the structured way
Fabian & Dirk-jan presented the concept of ‘Family of Client IDs’ (FOCI) which is mostly undocumented but has significant security implications (re-use of refresh tokens), and they explained the complex intricacies of exceptions in Conditional Access Policies. Overall these can lead to unexpected behavior/access which they tried to map for clients by various methods. A number of hardcoded CAP bypasses were discussed, and ‘entrascopes’, an Entra ID First Party Apps & Scope Browser, was introduced.
Abstract: here
Slides: here
Tooling: Entra ID First Party Apps & Scope Browser
LinkedIn posts: here, here
Related post: here
Nice post from Jan Geisbauer, one of Fabian’s coworkers here
Fabian Mosch – Revisiting Cross Session Activation attacks
Fabian presented a history of cross session activation attacks incl. ‘Potato’ attacks and KrbRelay, and then moved to recent vectors involving RPC and DCOM. He laid out an interesting new approach of getting RCE via COM Hijacking and exploiting the BDEUILauncher class, followed by a discussion of related detection techniques.
Abstract: here
Slides: here
Tooling: SpeechRuntimeMove, BitlockMove, DCOMRunAs
Blogpost: Revisiting Cross Session Activation Attacks
LinkedIn post: here
Related posts: here, here, here
Nestori Syynimaa – The Ultimate Guide for Protecting Hybrid Identities in Entra ID
Nestori started with a detailed overview of Hybrid Authentication Options. After that he discussed the attack graphs for Entra ID Connect Sync, Entra Cloud Sync, Pass-Through Authentication, and Federated Identity, plus protection/mitigation approaches for each of those.
Abstract: here
Slides: here
LinkedIn post: here
Related post: here
Shang-De Jiang & Kazma Ye – Breaking Down macOS Intune SSO: PRT Cookies Theft and Platform Comparison
Shang-De and Kazma explained why Primary Refresh Tokens (PRTs) are valuable targets, and then discussed how to get hold of PRT cookies on macOS. For this purpose they provided a detailed breakdown of the Company Portal SSO implementation & flows on macOS, the inner workings of BrowserCore, and the methods they used to attack those.
Abstract: here
Slides: here
LinkedIn posts: here, here
Related post: here
Simon Maxwell-Stewart – Restless Guest: A Novel Entra ID Vulnerability
Simon started with a little mystery case where a guest had performed an Entra subscription which then raised the immediate question: how was that possible? It turned out that billing agreements were involved as they’re cross-tenant and – while at the 1st glance they don’ seem to provide valuable attack paths – several enumeration and even persistence scenarios can be found. The talk concluded with defense approaches against these vectors.
Abstract: here
Slides: here
Tooling: restless-guest. A cli toolkit for “restless guest” exploits. Released at DEF CON 33
Blogposts: “Evil VM”: From Guest Compromise To Entra Admin In 9 Easy Steps
Restless Guests: The True Entra B2B Guest Threat Model
LinkedIn posts: here, here, here
Duane Michael & Garrett Foster – Misconfiguration Manager: Still Overlooked, Still Overprivileged
Duane and Garrett expanded on research presented at TROOPERS24 and at SO-CON, explaining that their goal was to create a living repository of SCCM adversary tradecraft, that is ‘Misconfiguration Manager’. Since the 2024 release many new attack techniques and a new ‘COERCE’ category were added, which were all explained in detail as for the underlying attack vectors.
Abstract: here
Slides: here
Tooling: Misconfiguration Manager
Blogposts:
Misconfiguration Manager: Still Overlooked, Still Overprivileged
I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays
LinkedIn posts: here, here
Related posts: here, here, here, here
Eric Woodruff – Getting developers to follow standards is easy, and other lies we tell ourselves
Eric explained the background of nOAuth abuse and how it exploits cross-tenant vulnerabilities that can lead to SaaS application data exfiltration, to persistence, and to lateral movement. He then discussed how app registrations and service principals work, and how they come into play during an attack. Finally he presented the results of their research as for vulnerable applications in the MS Entra Gallery, followed by some ideas on mitigation and detection.
Abstract: here
Slides: here
Blogpost: nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications
LinkedIn post: here
Related post: here
Upcoming trainings from ERNW instructors
- Entra ID Security Essentials: in September, in November
- Hardening Microsoft Environments: in September, in October, in November
- Malware Techniques 101: in November
- Incident Analysis: in November
- Incident Analysis, Advanced: in November
Recent research contributions from ERNW experts