2025-06-25 –, Track 2 (AD & Entra ID Sec)
In most Active Directory post-exploitation scenarios, the initial focus of red teamers for lateral movement is often the Local Security Authority Subsystem Service (LSASS) process. However, due to its extensive monitoring, any competent Endpoint Detection and Response (EDR) system will detect and flag such activities.
In this presentation, we will delve into innovative methods for navigating Microsoft Azure Active Directory (now Entra ID) based environments and achieving our objectives with greater stealth. We will discuss searching for authentication tokens in memory and on disk for Microsoft 365 applications and how these can be exploited. Additionally, we will examine chromium-based applications utilizing WebView technology, exploring how they are constructed and the potential vulnerabilities where secrets may be exposed.
We will cover lateral movement within cloud environments, the use of long-lived Single Sign-On (SSO) tokens, conditional access policies, and other specific features of Entra ID that can make your next threat emulation exercise undetectable by defenders.
Finally, we will provide defenders with valuable tips on monitoring these techniques and suggest other defense-in-depth practices. Join us to enhance your knowledge of both offensive and defensive strategies in this evolving landscape.
This presentation will explore stealthy methods for attacks in Entra ID environments, focusing on finding and exploiting authentication tokens from Microsoft 365 applications and vulnerabilities in chromium-based applications. You'll also discuss using long-lived SSO tokens, navigating conditional access policies, and offer tips for defenders on monitoring these techniques and implementing defense-in-depth practices.
As an Senior Red teamer, Priyank's primary areas of focus is conducting security exercises that emulate real-world threats impacting billions of users. He is well-known for his expertise in identifying high-impact vulnerabilities and has shared his research openly through various industry conferences.
His forte is web/mobile application security assessments, network penetration testing and secure source code reviews. In the past, he has advised Fortune 500 brands and startups and does mobile and IoT related research in his spare time.
As a new parent, he is now (re)learning hacking from his toddler(s) who defeat all the "restrictions" to limit their mobility.