{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2025.2.2"}, "schedule": {"url": "https://cfp.troopers.de/tr26-cfp/schedule/", "version": "0.3", "base_url": "https://cfp.troopers.de", "conference": {"acronym": "tr26-cfp", "title": "TROOPERS26 Call for Paper", "start": "2026-06-24", "end": "2026-06-25", "daysCount": 2, "timeslot_duration": "00:05", "time_zone_name": "Europe/Berlin", "colors": {"primary": "#3e3d40"}, "rooms": [{"name": "Track 1", "slug": "5-track-1", "guid": "f621960c-3688-5e5c-91e6-399bd502d79b", "description": null, "capacity": null}, {"name": "Track 2", "slug": "6-track-2", "guid": "ae308d0a-3cd7-51bb-918f-e243dcfbd2b0", "description": null, "capacity": null}, {"name": "Track 3", "slug": "7-track-3", "guid": "a46c830a-6d97-5944-a39a-6d0db19d9fe2", "description": null, "capacity": null}], "tracks": [{"name": "Attack & Research", "slug": "7-attack-research", "color": "#F10E3E"}, {"name": "Defense & Management", "slug": "8-defense-management", "color": "#26E61C"}, {"name": "Active Directory & Entra ID Security", "slug": "9-active-directory-entra-id-security", "color": "#FE19F5"}], "days": [{"index": 1, "date": "2026-06-24", "day_start": "2026-06-24T04:00:00+02:00", "day_end": "2026-06-25T03:59:00+02:00", "rooms": {"Track 1": [{"guid": "63b08883-82e5-5a49-bca3-6b033183922c", "code": "RNDCKA", "id": 508, "logo": null, "date": "2026-06-24T09:00:00+02:00", "start": "09:00", "duration": "01:30", "room": "Track 1", "slug": "tr26-cfp-508-keynote", "url": "https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/", "title": "Keynote", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Coming soon :)", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/", "attachments": []}, {"guid": "3e4fd249-a8d1-51b5-9ce1-822efad8429a", "code": "BYBLQL", "id": 491, "logo": null, "date": "2026-06-24T10:30:00+02:00", "start": "10:30", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-491-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/", "title": "Coffee Break", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/", "attachments": []}, {"guid": "65535b32-5aaa-5674-8ac4-8d185ae87852", "code": "WXKS38", "id": 311, "logo": null, "date": "2026-06-24T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-311-agentic-chaos-weaponizing-autonomous-ai", "url": "https://cfp.troopers.de/tr26-cfp/talk/WXKS38/", "title": "Agentic Chaos: Weaponizing Autonomous AI", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "As enterprises integrate \"Agentic AI\" into their infrastructure, they are inadvertently exposing critical business logic to stochastic actors. This talk explores the Execution Layer of autonomous agents, revealing how LLMs can be weaponized to act as proxies for traditional web attacks.\r\n\r\nWe will introduce \"Agentic Mass Assignment,\" a technique where attackers coerce agents to hallucinate undocumented parameters (like status: APPROVED or is_admin) to exploit backend ORM vulnerabilities. Additionally, we will demonstrate \"Cognitive Denial of Service,\" using semantic paradoxes to trap agents in infinite reasoning loops that result in \"Denial of Wallet.\"\r\n\r\nAttendees will see live exploitation of these logic flaws and receive Agent-Fuzz, an open-source tool for auditing agentic middleware.", "description": "The Problem: The Middleware Gap Security teams currently focus on \"Prompt Injection\" (content safety), ignoring the far greater risk: the \"Middleware Gap\" where non-deterministic LLMs interface with rigid REST APIs. In this session, we prove that Agentic Frameworks (like LangChain or Semantic Kernel) often lack the strict schema enforcement required to protect legacy backends.\r\n\r\nVector 1: The Integrity Hack (Agentic Mass Assignment) We demonstrate how an Agent can be manipulated to function as an \"Intelligent Fuzzer.\"\r\n\r\nMechanism: By reversing the prompt templates used for tool execution, we show how to force the LLM to \"invent\" JSON fields based on common developer conventions.\r\n\r\nThe Vulnerability: We exploit the disconnect between the Frontend Schema (OpenAPI) and the Backend Database Models (ORM). We show how the hallucinated parameters pass through the Agent and are blindly accepted by backends vulnerable to Mass Assignment.\r\n\r\nImpact: Privilege escalation and data corruption without direct database access.\r\n\r\nDemo: A live walkthrough of bypassing a Corporate Expense Approval flow by injecting a hidden override parameter via natural language.\r\n\r\nVector 2: The Availability Hack (Cognitive DoS) We introduce the concept of \"Economic Asymmetry\" in AI attacks.\r\n\r\nMechanism: We use Generative Style Injection (GSI) to poison the agent's context with pathological reasoning styles (e.g., recursive bureaucracy).\r\n\r\nThe Vulnerability: Semantic loops consume tokens at every step. We show that rate limits based on \"requests per second\" fail to catch a single session that enters a self-sustaining \"Cognitive Deadlock.\"\r\n\r\nImpact: Rapid depletion of API quotas and cloud budgets (\"Denial of Wallet\").\r\n\r\nDemo: Triggering a negotiation loop between autonomous agents that consumes the entire monthly budget in minutes.\r\n\r\nSolution & Tooling: We conclude with defense. We will release Agent-Fuzz (a scanner for schema hallucination) and discuss architectural patterns for \"Zero-Trust Schema Validation\" at the API Gateway level.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DPBQFG", "name": "Alon Friedman", "avatar": null, "biography": "Alon Friedman is a Principal Security Architect at Microsoft and independent researcher specializing in application security standards and threat landscapes. His background includes leading secure software development at Salesforce and managing application vulnerabilities at PayPal. Alon is a recognized researcher, credited with CVE-2014-4246 and the creation of the SCIP OWASP ZAP extension. He is a frequent speaker at international conferences, including Ekoparty, DeepSec, and BSides.", "public_name": "Alon Friedman", "guid": "7275086b-a343-52ea-8f59-64630ed467fc", "url": "https://cfp.troopers.de/tr26-cfp/speaker/DPBQFG/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/WXKS38/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/WXKS38/", "attachments": []}, {"guid": "593536a1-d62b-5aff-a5b2-ad68b7265738", "code": "CLLDDN", "id": 429, "logo": null, "date": "2026-06-24T12:00:00+02:00", "start": "12:00", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-429-confused-recovery-a-new-attack-class-on-windows-recovery", "url": "https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/", "title": "Confused Recovery: A New Attack Class on Windows Recovery", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "The Windows Recovery Environment (WinRE) is a foundational component of the Windows stack, embedded in over a billion devices worldwide. It plays a critical role in recovering systems from various types of severe failures.\r\n\r\nA fundamental requirement for any recovery operation is identifying its associated disk volume. To meet this requirement, volume lookup functionalities are implemented separately in both the WinRE boot phase and the WinRE runtime phase. Historically, maintaining two separate mechanisms for retrieving the same information has proven fragile and error prone. This raises a critical question: what happens when these lookup mechanisms fall out of sync?\r\n\r\nIn this talk, we introduce a new and novel attack class on WinRE. Our exploration begins with an analysis of the various volume lookup logics and the inconsistencies between them. We then reveal 4 unique vulnerabilities that confuse WinRE to mistakenly recover an attacker-controlled volume instead of the intended associated volume. Building on these confusion primitives, we present 2 exploitation techniques that escalate the impact to a full BitLocker bypass, allowing extraction of all BitLocker-protected secrets in several different ways.\r\n\r\nTo conclude the presentation, we will share how we collaborated with the engineering teams to develop a comprehensive, end-to-end mitigation that addresses the entire attack class.\r\nThis talk offers valuable insights into the intersection of BitLocker, Windows Boot, and Windows Recovery, highlighting how combining knowledge across these domains leads to impactful results.", "description": "&nbsp;", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZXFMJV", "name": "Alon Leviev", "avatar": null, "biography": "Alon (@alon_leviev) is a self-taught security researcher working with the Microsoft Specialized Clouds organization as part of the Security Testing & Offensive Research team at Microsoft (MSC STORM). Alon specializes in low-level vulnerability research targeting hardware, firmware, and Windows boot components. He has presented his findings at internationally recognized security conferences such as DEF CON 33 (2025), DEF CON 32 (2024), Black Hat USA 2025, Black Hat USA 2024, Black Hat EU 2023, CCC 2025, CanSecWest 2024, and more. Prior to his career in cybersecurity, Alon was a professional Brazilian jiu-jitsu athlete, winning several world and European titles.", "public_name": "Alon Leviev", "guid": "acbdaf7b-e52a-51c0-8976-0a5507dd39da", "url": "https://cfp.troopers.de/tr26-cfp/speaker/ZXFMJV/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/", "attachments": []}, {"guid": "4e51d0e6-b9bc-522b-955e-20bcd7155883", "code": "WXYKHJ", "id": 500, "logo": null, "date": "2026-06-24T13:00:00+02:00", "start": "13:00", "duration": "01:15", "room": "Track 1", "slug": "tr26-cfp-500-lunch-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/", "title": "Lunch Break", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/", "attachments": []}, {"guid": "ee83218b-864a-5936-ad81-9769ff8d8e01", "code": "ABQT8K", "id": 422, "logo": null, "date": "2026-06-24T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-422-backbones-under-attack-software-vulnerabilities-in-core-routers", "url": "https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/", "title": "Backbones under attack: software vulnerabilities in core routers", "subtitle": "", "track": null, "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "The core routers that form the Internet backbone are among the most critical but least scrutinized pieces of infrastructure. While many talks focus on BGP, routing policies or DDoS, comparatively little attention is paid to the attack surface introduced by modern virtualization and management features inside high-end routing platforms.", "description": "In this talk I will review the evolution of router malware and then present original research showing a practical attack path to persistent backdoors on modern backbone platforms by abusing virtualization features and two distinct privilege escalation vulnerabilities I discovered that enable installation of such persistent implants. \r\n\r\nTo avoid creating a roadmap for abuse, this presentation focuses on impact, architecture, detection opportunities and robust mitigations rather than exploit code or step\u2011by\u2011step instructions. \r\n\r\nI will close with responsible-disclosure outcomes and a prioritized mitigation checklist for network operators and vendors.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HGHMAK", "name": "Pierre Emeriaud", "avatar": null, "biography": "Seasoned network engineer, Pierre has been working at securing wan IP networks, from small CPE routers to carrier-grade behemoths at Orange for almost 20 years. \r\n\r\nWith a purple teamer approach he's always trying to find new ways to break into his networks, then fixing the issues while improving detection.", "public_name": "Pierre Emeriaud", "guid": "79e3d95f-d8e9-5586-a59c-badf817ebd63", "url": "https://cfp.troopers.de/tr26-cfp/speaker/HGHMAK/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/", "attachments": []}, {"guid": "7ea69e2f-1130-5e3a-bdf2-1ac5f8cf6bf9", "code": "FYSNJ7", "id": 516, "logo": null, "date": "2026-06-24T15:15:00+02:00", "start": "15:15", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-516-coming-soon", "url": "https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/", "title": "Coming soon :)", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "<!-- -->", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/", "attachments": []}, {"guid": "c8b75819-023f-592d-9d04-f1b720819f0c", "code": "UUKQNN", "id": 493, "logo": null, "date": "2026-06-24T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-493-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/", "title": "Coffee Break", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/", "attachments": []}, {"guid": "74d0cc78-306e-5258-840f-16bbccf526df", "code": "DAARST", "id": 391, "logo": null, "date": "2026-06-24T16:45:00+02:00", "start": "16:45", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-391-priceless-hacking-electronic-shelf-labels", "url": "https://cfp.troopers.de/tr26-cfp/talk/DAARST/", "title": "Priceless: Hacking Electronic Shelf Labels\u200b", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Disagree with the latest price hikes of your local store? Then this talk is for you! \r\n\r\nAs price labels, commonly called electronic shelf labels (ESL tags), play a major role in store architecture, they increase the potential attack surface and attract attention from adversaries. To understand how these products work, we examined Android apps, web-based management software, Bluetooth Low Energy (BLE), and 2.4 GHz traffic, as well as their hardware components. In the process, we identified architectural and implementation weaknesses across every part of the ESL infrastructure.", "description": "In recent years, more and more convenience stores have upgraded their infrastructure by going digital and they will continue to do so. This includes introducing ESL tags, which enable dynamic pricing based on demand and reduce labor costs. Depending on their size and budget, stores can choose from two major types of ESL tags that either use BLE or work on other radio frequencies. The former requires only a smartphone to interact with, while the latter relies on an infrastructure of access points and a central management system. \r\n\r\nIn this talk, we will take you on a journey through the last couple of months of reverse engineering products from two different manufacturers. Throughout this process, we analyzed two different BLE ESL tags and one ESL tag that works with an access point.  We successfully performed attacks such as battery drainage and arbitrary writes, which led to denial-of-service and achieved complete takeover of the management system that controls products and templates. The possibilities were endless. We identified systematic vulnerabilities in multiple ESL products and propose a general mitigation strategy for the manufacturers.\r\n\r\nWhen sharing our findings with the manufacturers we have been unable to get their ear leaving these issues unpatched and up to the store owners to mitigate.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TJKYZN", "name": "Marius Karstedt", "avatar": null, "biography": "Marius (he/him) is a security researcher from Germany, focusing mostly on reverse engineering of IoT devices. He is currently pursuing a Master\u2019s degree in IT Security at the TU Darmstadt.", "public_name": "Marius Karstedt", "guid": "595174f6-3a8e-5524-a660-6dd974ba347d", "url": "https://cfp.troopers.de/tr26-cfp/speaker/TJKYZN/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/DAARST/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/DAARST/", "attachments": []}, {"guid": "afdcf6bd-72c0-507d-9bab-3f6ec181835d", "code": "STKZXP", "id": 464, "logo": null, "date": "2026-06-24T17:45:00+02:00", "start": "17:45", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-464-eta-when-reporting-on-cybercrime", "url": "https://cfp.troopers.de/tr26-cfp/talk/STKZXP/", "title": "ETA when? Reporting on cybercrime", "subtitle": "", "track": "Attack & Research", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "# Whodunit\r\n\r\nAs a reporter, it is one of the main parts of my job to find out who is behind criminal enterprises such as ransomware groups. And while attribution might be hard, in some cases it is doable. By pivoting, using leaks and correlating it with other publicly available information. I'll show many examples that will help the audience better understand how reporters use techniques familiar within the threat intelligence landscape. During the last couple of years I was part of four investigations that ended up identifying people for the first time publicly.\r\n\r\nBut the main part of the talk will deal with one question: Under what circumstances does it make sense to publish? Because the decision to put out the story has immediate consequences. One of them being that law enforcement agencies, who might have been trying to catch the very same actors, will likely no longer be able do to that. Since the actors also read our reporting stories and take precautions. For one, they stop traveling to countries where they run the risk of being arrested and then extradited. Knowing this, I'm going to make the case that it is important and in the public's interest to publish such investigations.", "description": "&nbsp;", "recording_license": "", "do_not_record": true, "persons": [{"code": "CQLW9D", "name": "Hakan", "avatar": null, "biography": "I work as a reporter covering cybersecurity for Paper Trail Media. My main focus is with attribution, so finding out who the hackers are.", "public_name": "Hakan", "guid": "6feb7233-bf90-54d0-9e85-fce601e127dd", "url": "https://cfp.troopers.de/tr26-cfp/speaker/CQLW9D/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/STKZXP/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/STKZXP/", "attachments": []}, {"guid": "9791ed67-d004-5757-8b04-a981458aac3a", "code": "YZQMBB", "id": 433, "logo": null, "date": "2026-06-24T18:15:00+02:00", "start": "18:15", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-433-sanctions-evasion-2-0-osint-methodologies-for-unmasking-the-iranian-regime-s-financial-evolution", "url": "https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/", "title": "Sanctions Evasion 2.0: OSINT Methodologies for Unmasking the Iranian Regime\u2019s Financial Evolution", "subtitle": "", "track": "Attack & Research", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Modern sanctions evasion has moved beyond traditional shell companies and into a parallel digital economy. This session presents a forensic deconstruction of a multi-billion dollar state-sponsored laundering infrastructure that successfully bypassed Western oversight for over a decade. This network represents \"Laundering 2.0\"\u2014a sophisticated architecture of synthetic identities and automated shadow-banking nodes.\r\n\r\nBased on an intensive multi-year investigation into one of the world's largest evasion networks, this talk moves beyond the headlines to reveal the specific OSINT \"pivots\" used to link phantom Western corporate entities to state-sponsored actors. We will analyze the technical failures in corporate registries that allow these \"Identity Exploits\" to persist.\r\n\r\nAttendees will learn:\r\n\r\nThe \"CEO Cat\" Methodology: A forensic walkthrough of moving from a single stock-footage identity to unmasking a multi-billion dollar node using metadata analysis and digital \"tells.\"\r\n\r\nIdentity Spoofing & Registry Exploitation: Technical signatures for detecting forged documentation and \"synthetic\" directors used to bypass KYC verification in high-value corporate registries.\r\n\r\nInfrastructure Evolution: An analysis of how state-sponsored evasion has \"patched\" its vulnerabilities, moving toward decentralized digital identities and the exploitation of systemic gaps in global corporate infrastructure.", "description": "I. The 2.0 Threat Architecture (3 mins)\r\n\r\nThe \"Laundering 1.0\" Baseline: A rapid retrospective of legacy evasion methodologies (physical gold transfers, kinetic Hawala networks) and how Western financial intelligence (FININT) made these methods obsolete.\r\n\r\nThe Digital Upgrade: Defining the adversary's pivot toward digital obfuscation: large-scale identity spoofing, the weaponization of golden passports, automated shadow banking, and the exploitation of Western corporate registry loopholes.\r\n\r\nII. Case Study: Deconstructing the Zanjani Infrastructure (7 mins)\r\n\r\nState-Backed Infrastructure Spoofing: How the network engineered a parallel synthetic economy by standing up \"phantom\" entities designed to mimic legitimate financial nodes.\r\n\r\nThe \"CEO Cat\" OPSEC Failure: A high-speed forensic deep-dive into the critical vulnerability that unraveled the network. I will demonstrate how our team exploited a single operational security (OPSEC) failure\u2014leveraging social media metadata and a stock-footage \"CEO\"\u2014to pivot into a multi-billion dollar illicit node.\r\n\r\nIII. The \"Identity Exploit\" & Live Network Pivot (8 mins)\r\n\r\nKYC Circumvention & Heuristics: A technical analysis of how the adversary utilizes golden passports and sophisticated forgeries to systematically bypass Know Your Customer (KYC) controls within the UK Companies House. I will highlight the specific registry \"Red Flags\" and behavioral fingerprints of state-sponsored phantom firms hiding in plain sight.\r\n\r\nLive Correlation Engine: A rapid, unscripted demonstration of an advanced OSINT pivot. I will show the audience how to transition from a single anomalous corporate filing to mapping out a vast illicit network in real-time, synthesizing highly fragmented digital footprints.\r\n\r\nIV. Conclusion: The Attribution Gap (2 mins)\r\n\r\nClosing the Loop: Why the systemic failure to verify digital identity against physical reality remains the ultimate vulnerability in global security, and how OSINT bridges this intelligence gap.", "recording_license": "", "do_not_record": true, "persons": [{"code": "E79MFV", "name": "Mahtab Divsalar", "avatar": null, "biography": "Mahtab Divsalar is a Senior Investigative Journalist and OSINT Researcher specializing in the intersection of state-sponsored illicit finance, sanctions evasion, and adversarial corporate infrastructure. With over two decades of experience analyzing Iranian geopolitics and closed-regime dynamics, she bridges the gap between high-stakes investigative reporting and technical threat research.\r\n\r\nHer recent high-impact collaborative investigations, including Dubai Unlocked and Dominica: Passports of the Caribbean, exposed how sanctioned threat actors weaponize global real estate, offshore registries, and \"Golden Passports\" to successfully bypass Western compliance.\r\n\r\nBeginning her career in Tehran in the 1990s, Mahtab relocated to the U.S. in 2003 to operate free from state surveillance and political constraints. Over the course of her career, she has driven complex investigations and held senior editorial roles across major international platforms, including OCCRP, Voice of America, and Radio Free Europe/Radio Liberty.", "public_name": "Mahtab Divsalar", "guid": "78fbaffe-c91d-5ab1-aa22-a367327f0bf7", "url": "https://cfp.troopers.de/tr26-cfp/speaker/E79MFV/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/", "attachments": []}], "Track 2": [{"guid": "51faf927-b4b9-577d-9a7e-962fc409fb3d", "code": "BMXZU3", "id": 498, "logo": null, "date": "2026-06-24T10:30:00+02:00", "start": "10:30", "duration": "00:30", "room": "Track 2", "slug": "tr26-cfp-498-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/", "title": "Coffee Break", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/", "attachments": []}, {"guid": "8b398be7-aa81-53b9-824f-59b2a25682e9", "code": "WDATRC", "id": 412, "logo": null, "date": "2026-06-24T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-412-esc17-using-adcs-to-attack-https-enabled-wsus-clients", "url": "https://cfp.troopers.de/tr26-cfp/talk/WDATRC/", "title": "ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "The Active Directory Certificate Service (ADCS) has been studied extensively, which lead to an entire category of privilege escalation techniques: the ESC attacks.\r\nWe combined known research about attacks on ADCS and the Windows Server Update Service (WSUS) to compromise Windows machines in supposedly \"secure\" environments.\r\nAs this technique can be generalized, we decided to introduce the new escalation number ESC17.", "description": "In this talk we will revisit both the currently known attacks on ADCS and on WSUS and combine them with a new twist.\r\n\r\nCertificate templates are often misconfigured in ADCS environments and can lead to complete domain takeover, for example with the ESC1 technique.\r\nIn our experience, mitigations against ESC1 in particular often remain incomplete and can leave room for further attacks, some of which have not been publicly discussed so far.\r\n\r\nFor WSUS, we will give an overview over past attacks, which in theory exist since 2015. However, our impression is that these attacks are not a common part of security assessments.\r\n\r\nIn the following we combine the research on ADCS with the MitM attack on WSUS to gain command execution on Windows machines, which are configured in accordance with best practices.\r\n\r\nDuring internal discussions, we realized that the underlying problem is not specific to WSUS at all, but rather rooted in ADCS and the trust relationships in Active Directory. This lead to the creation of a new ESC number, so this specific configuration of certificate templates can easily be identified and mitigated.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9JPXFC", "name": "Alexander Neff", "avatar": null, "biography": "Alex is a Security Consultant at DigiTrace GmbH.\r\nSince 2022 he regularly conducts penetration tests with a focus on internal infrastructure and Active Directory, while finishing his studies in the IT Security field.\r\nWith a passion for open source he maintains several open source projects, including NetExec, wsuks and EVENmonitor.", "public_name": "Alexander Neff", "guid": "b6cc89b9-cd41-5b14-97c3-57796adf4fb1", "url": "https://cfp.troopers.de/tr26-cfp/speaker/9JPXFC/"}, {"code": "LPS7LN", "name": "Phil Kn\u00fcfer", "avatar": null, "biography": "Phil is a Senior Security Consultant and head of the IT Security team at DigiTrace GmbH. He started his IT security studies in 2010 at Ruhr University Bochum and has been working full-time in this field since 2016.\r\nHis focus is on internal infrastructure penetration tests and security consulting, with the occasional IT forensics project in between.\r\nWhile Phil is an avid user of open source technology, he soon realized that most company networks are built around Active Directory, making him realize that even a basement child cannot live without Windows.", "public_name": "Phil Kn\u00fcfer", "guid": "64e382a0-6886-53f2-add6-dc40ab703329", "url": "https://cfp.troopers.de/tr26-cfp/speaker/LPS7LN/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/WDATRC/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/WDATRC/", "attachments": []}, {"guid": "40bacd2a-cb73-509f-8c7d-cae1272b4546", "code": "8CBZWS", "id": 434, "logo": null, "date": "2026-06-24T12:00:00+02:00", "start": "12:00", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-434-tier-breakers-blind-spots-in-cloud-managed-paws", "url": "https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/", "title": "Tier Breakers: Blind Spots in Cloud-Managed PAWs", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them, organizations assume they can achieve a strong and clear tier separation within a single tenant.\r\n\r\nThis session dissects the real-world failures and mistakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misconfigurations that grant cross-tier device access, Entra ID role assignments with implicit permissions that span administrative tiers, and platform-level limitations that (currently) no configuration can fully compensate for.\r\n\r\nBeyond exposing the gaps, we present tooling and methods to enumerate these attack paths within your own tenant - identifying tier boundary violations and quantifying blast radius before an attacker does. We then compare architectural mitigations, including the dedicated administration tenant (\"Red Tenant\") model, against the single-tenant default most organizations live with.\r\n\r\nAttendees leave with a clear model of where the tier boundary actually sits in a cloud-managed PAW deployment, specific detection and assessment techniques, and a realistic view of the architectural trade-offs involved.", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [{"code": "FR3JJ3", "name": "Thomas Naunheim", "avatar": null, "biography": "Thomas Naunheim is a Cyber Security Architect at glueckkanja AG and a Microsoft MVP from Koblenz, Germany, specializing in cloud-native identity and security solutions in Microsoft Azure and Microsoft Entra. With a deep focus on privileged identity management, identity security, and Zero Trust architecture, he designs and implements security solutions for real-world enterprise environments.\r\n\r\nThomas actively gives back to the community as a blogger at cloud-architekt.net, where he publishes in-depth research and practical insights on Microsoft Security. He is a speaker at international conferences and meetups, co-author of the open-source Entra ID Attack & Defense Playbook, and the creator of EntraOps - a community tool for privilege classification based on the Enterprise Access Model.\r\n\r\nBeyond content creation, Thomas co-hosts the podcast Cloud Inspires and is actively involved in community organization as a member of the Azure Meetup Bonn and Cloud Identity Summit organizing teams. His long-standing contributions across blogging, speaking, and open-source development earned him the Microsoft MVP award in the Identity & Access and Cloud Security category.", "public_name": "Thomas Naunheim", "guid": "e321ea12-599d-57ab-b5c1-956bacc99650", "url": "https://cfp.troopers.de/tr26-cfp/speaker/FR3JJ3/"}, {"code": "AS3ATU", "name": "Martin Sohn Christensen", "avatar": null, "biography": "I am a Security Researcher at SpecterOps, specializing in Microsoft technologies with expertise in Active Directory, identity attack paths, and secure system configuration. I bring a well-rounded perspective on security risks and challenges stemming from a background in system administration, an information security degree, and information security consultancy experience. I am passionate about learning and contributing to the information security community, sharing content through online engagement and talks.", "public_name": "Martin Sohn Christensen", "guid": "61447b48-b5f7-5ec7-a455-fece26cbc6a2", "url": "https://cfp.troopers.de/tr26-cfp/speaker/AS3ATU/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/", "attachments": []}, {"guid": "52b513dc-8687-5541-b650-7d77455823f9", "code": "EYCQ8U", "id": 503, "logo": null, "date": "2026-06-24T13:00:00+02:00", "start": "13:00", "duration": "01:15", "room": "Track 2", "slug": "tr26-cfp-503-lunch-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/", "title": "Lunch Break", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/", "attachments": []}, {"guid": "a426e153-d93d-5fc2-827d-130f666195d3", "code": "EZCTEQ", "id": 400, "logo": null, "date": "2026-06-24T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-400-nested-app-authentication-undocumented-risk-and-conditional-access-bypass", "url": "https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/", "title": "Nested APP Authentication - Undocumented Risk and Conditional Access Bypass", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "In the past, several studies on Entra ID token exchange abuse mainly focused on FOCI (Family of Client IDs) feature abuse and scope-based Conditional Access bypass cases.\r\nAlthough prior work explored these areas in depth, we noticed that the NAA (Nested APP Authentication) token exchange attack surface has not been widely discussed.\r\n\r\nIn this talk, we will discuss the undocumented risks of NAA token exchange and how NAA can lead to Conditional Access bypass.\r\n\r\nFrom our findings, we identified the following:\r\n\r\n- NAA Undocumented Risk\r\nWhen an attacker compromises a Broker Client, such as Teams or Outlook, the attacker can use NAA to obtain the Azure Resource Manager user_impersonation scope.\r\nThis means that even if only a Broker Client exists on the device, the attacker may still be able to use NAA to compromise cloud resources.\r\n- Conditional Access Bypass\r\nDuring our exploration, we found that NAA can lead to Conditional Access bypass, including MFA bypass, Require Compliant Device bypass, and Token Protection bypass, and we also identified two new bypass series: Broker Client\u2013based bypass and Nested Client\u2013based bypass.", "description": "This talk presents a new security vector in Nested App Authentication (NAA) and shows how this design can lead to unexpected access expansion and Conditional Access bypass.\r\n\r\nNested App Authentication is designed to improve user experience by allowing broker applications, such as Microsoft Teams, to request access tokens on behalf of nested applications. However, this design also creates a new attack surface. If an attacker obtains a broker refresh token, they may be able to exchange it for access tokens without requiring additional user interaction.\r\n\r\nIn our research, we discovered that several nested applications have pre-authorized access to sensitive cloud resources, including Azure Resource Manager (ARM). This creates a risky situation when compromising a device that only uses a broker application, such as Teams, may still allow attackers to gain access to critical Azure resources.\r\n\r\nWe also identified multiple Conditional Access bypass scenarios related to NAA token exchange. These bypasses affect common security controls such as MFA enforcement, device compliance requirements, and token protection policies.\r\n\r\nIn this talk, we will explain:\r\n\r\n- How Nested App Authentication works\r\n- How attackers can abuse broker refresh tokens\r\n- The undocumented risks in nested app pre-authorization\r\n- Multiple Conditional Access bypass techniques\r\n- The security impact on cloud environments", "recording_license": "", "do_not_record": false, "persons": [{"code": "G9HRSC", "name": "Jun Sheng Shi", "avatar": null, "biography": "Jun Sheng Shi is a security researcher at CyCraft Technology, focusing on cloud identity security and authentication protocols. His research focuses on Microsoft Entra ID token exchange mechanisms, including FOCI and Nested Application Authentication (NAA). He specializes in discovering authentication bypass techniques and analyzing complex access control behaviors in modern cloud environments.", "public_name": "Jun Sheng Shi", "guid": "5c9243ec-b312-58c1-aa52-e288210eade9", "url": "https://cfp.troopers.de/tr26-cfp/speaker/G9HRSC/"}, {"code": "FGWGXN", "name": "Shang-De Jiang", "avatar": null, "biography": "Shang-De Jiang, also known as HackerPeanutJohn, is a deputy director of the research team of CyCraft. Currently, he focuses on research on Identity Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as DEFCON, TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.", "public_name": "Shang-De Jiang", "guid": "2c35e651-5063-5241-8b2d-93dc5157ef2c", "url": "https://cfp.troopers.de/tr26-cfp/speaker/FGWGXN/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/", "attachments": []}, {"guid": "6aee61a5-cdd2-5987-8646-850f9b836c38", "code": "QSHKUT", "id": 371, "logo": null, "date": "2026-06-24T15:15:00+02:00", "start": "15:15", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-371-trusted-by-design-how-windows-uses-tpm-to-secure-prts", "url": "https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/", "title": "Trusted by Design: How Windows Uses TPM to Secure PRTs", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Identity-related attacks remain a critical threat, with over 97% involving password spraying or brute force attempts. While multi-factor authentication (MFA) mitigates most of these, the remaining incidents\u2014predominantly token theft via malware\u2014account for more than 2.4% and are on the rise. Stolen tokens enable immediate, potentially persistent access to organisational resources. The Primary Refresh Token (PRT) combined with the Session Key (SK) allows impersonation of both users and endpoints.\r\n\r\nEndpoints lacking a Trusted Platform Module (TPM) are particularly vulnerable, as administrator privileges can facilitate trivial PRT and SK theft. Although TPM is required for Windows 11, many Windows 10 devices and servers remain unprotected.\r\n\r\nThis session explores the mechanics of TPM in safeguarding device identity and SK. Red Teamers will gain insights into dissecting TPM and PRT implementations for offensive strategies, while Blue Teamers will learn techniques to detect both successful and attempted PRT thefts.", "description": "According to the Microsoft Digital Defence Report 2025, more than 97% of identity-related attacks are password spray or brute force attacks. The majority of these attacks are not successful, as many organisations are enforcing multi-factor authentication (MFA). From the remaining three per cent, over 2.4% are token theft attacks by malware.\r\n\r\nThe number of token theft attacks has risen over the past few years, as stolen tokens give instant access to organisational resources. Depending on the stolen token, the access can be temporary or persistent. The most powerful token to steal is the Primary Refresh Token (PRT), which, along with the session key (SK), allows a threat actor to impersonate both the user and the endpoint from which the PRT was stolen.\r\n\r\nThe endpoints that are not using a Trusted Platform Module (TPM) and steal PRT and SK are trivial if the threat actor can obtain administrator permissions. TPM is mandatory for Windows 11 devices, but many Windows 10 devices and Windows servers still don\u2019t use TPM.\r\n\r\nBut how does TPM really work? During this session, you will learn how TPM protects device identity and SK to prevent PRT theft. For rRed Teamers, you\u2019ll learn how to study the details of TPM and PRT implementation. For Blue Teamers, you\u2019ll learn how to detect PRT theft \u2013 both successes and failures.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EYLMEQ", "name": "Dr Nestori Syynimaa", "avatar": null, "biography": "Dr Nestori Syynimaa is a Principal Identity Security Researcher at Microsoft Threat Intelligence Center He has over a decade of experience with the security of Microsoft cloud services and is known as the creator of the AADInternals toolkit. Before joining Microsoft in early 2024, Dr Syynimaa worked as a researcher, CIO, consultant, trainer, and university lecturer for over 20 years.\r\n\r\nDr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom, TROOPERS, BSides, Black Hat USA, Europe, and Asia, Def Con, and RSA Conference.", "public_name": "Dr Nestori Syynimaa", "guid": "4afb668e-0fec-55e0-b171-68bcbd277b1a", "url": "https://cfp.troopers.de/tr26-cfp/speaker/EYLMEQ/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/", "attachments": []}, {"guid": "d27d6f00-71dc-580c-922e-8fc2764d4ace", "code": "QPGNZW", "id": 499, "logo": null, "date": "2026-06-24T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Track 2", "slug": "tr26-cfp-499-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/", "title": "Coffee Break", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/", "attachments": []}, {"guid": "db690300-6e7e-54b6-91c8-13d7f319e296", "code": "XAZWFC", "id": 289, "logo": null, "date": "2026-06-24T16:45:00+02:00", "start": "16:45", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-289-do-apps-have-imposter-syndrome-unmasking-token-theft-campaigns", "url": "https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/", "title": "Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "What began as a simple search for an OAuth application named \u201c0365\u201d quickly uncovered a broader threat: three distinct malicious OAuth application campaigns abusing the relationship between Azure applications and service principals. Using a pivoting methodology and detection model, we expanded beyond known indicators to map the full scope of these campaigns, identifying activity across more than 20 organizations.\r\nThe talk opens by outlining the OAuth application attack surface in Azure AD (Entra ID), explaining how attackers abuse consent flows, permissions, and application registrations, and why traditional security controls often fail to detect this activity. We then introduce our \u201cNext Campaign Finder,\u201d a structured detection approach built on four components: establishing baselines of legitimate OAuth applications, identifying recurring malicious traits, correlating metadata such as ownership, naming conventions, and reply URLs across tenants, and applying a weighted scoring model to prioritize high-risk applications.\r\nUsing this model, we reveal a malicious OAuth campaign impersonating trusted services such as Adobe and DocuSign, highlighting its defining characteristics. We then compare this activity with an earlier OAuth campaign discovered by the model dating back to 2019 and examine how attackers' tradecraft has evolved over time.\r\nA key focus of the talk is practical pivoting. We demonstrate how defenders can expand from a single known malicious app to a broader set of indicators. All techniques are presented in a way that allows any attendee to implement them directly in their own environment using standard identity and audit logs, without relying on vendor-exclusive telemetry.\r\nWe conclude with actionable defensive guidance, including detection strategies and mitigations enterprise defenders can apply today, lessons learned from the research process, and our perspective on how OAuth-based attacks are likely to evolve.", "description": "OAuth-based attacks have become a primary vector for adversaries to bypass MFA and gain persistent access to cloud environments. While many organizations treat suspicious applications as isolated incidents, these threats are often part of large-scale campaigns spanning dozens of tenants.\r\n\r\nThis session introduces the Next Campaign Finder, a structured methodology for identifying malicious OAuth clusters by correlating app metadata, ownership, and naming conventions. We will demonstrate how we used this model to uncover activity across 20+ organizations, identifying evolving tradecraft that impersonates trusted services like Adobe and DocuSign.\r\n\r\nAttendees will learn how to pivot from a single suspicious indicator to a comprehensive campaign map using standard identity and audit logs. We conclude with actionable detection strategies and mitigations that defenders can implement immediately to secure their Entra ID environments against sophisticated application-layer threats.", "recording_license": "", "do_not_record": false, "persons": [{"code": "Y73MU3", "name": "Sapir Federovsky", "avatar": null, "biography": "Sapir is a security researcher specializing in identity security. Passionate about understanding how identity works, she spends her time exploring the depths of Active Directory and Entra, uncovering security risks, attack techniques, and ways to defend against them.", "public_name": "Sapir Federovsky", "guid": "64b869a8-580b-58ce-9eca-7744494d91d3", "url": "https://cfp.troopers.de/tr26-cfp/speaker/Y73MU3/"}, {"code": "UDN83T", "name": "Shahar Dorfman", "avatar": null, "biography": "Shahar is a threat intelligence researcher at Wiz, where she focuses on identifying and analyzing emerging cyber threats to enhance security defenses.", "public_name": "Shahar Dorfman", "guid": "9ea4a9b0-83cc-55d3-a5e0-8f55e1e70e25", "url": "https://cfp.troopers.de/tr26-cfp/speaker/UDN83T/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/", "attachments": []}, {"guid": "b73a1bd5-a70d-5124-aded-c551f4073798", "code": "TVDCFG", "id": 401, "logo": null, "date": "2026-06-24T17:45:00+02:00", "start": "17:45", "duration": "00:30", "room": "Track 2", "slug": "tr26-cfp-401-windows-deployment-service-an-ad-blind-spot", "url": "https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/", "title": "Windows Deployment Service: An AD Blind Spot?", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Windows Deployment Services (WDS) is a partially deprecated Windows role providing PXE boot services for deploying machines over a LAN. Although its usage has declined since the release of Windows 11, it often remains in Active Directory environments because it has been overlooked, leaving even up-to-date networks potentially exposed. Default administrative practices, sometimes masked by Windows behaviors, further increase the attack surface. The recent deprecation of Microsoft Deployment Toolkit (MDT), widely used for image orchestration and customization alongside WDS, accelerates the ecosystem\u2019s retirement while leaving existing deployments exposed and security issues unresolved. This presentation examines the attack vectors that can be exploited against WDS servers in Active Directory environments. Scenarios will include credential leakage, WinPE image extraction, and a supply chain attack, demonstrated through examples from real-world penetration tests on information systems. Practical exploitation paths, common misconfigurations, and residual artifacts left after removal of PXE components will be highlighted. Possible ways to address these risks in enterprise environments will also be discussed.", "description": "# Outline\r\n\r\n## I. Introduction and Reminders\r\n\r\n### A. Main technical terms demystified\r\n\r\n- What exactly is PXE? Spoiler it's not a protocol, but a boot mechanism built on top of DHCP and TFTP \r\n- Role of WDS in an Active Directory environment\r\n- Interaction with MDT (Microsoft Deployment Toolkit) for automated deployment workflows\r\n\r\n### B. Origin of My Research and Where WDS Still Exists\r\n\r\n- Initially identified during real-world penetration tests, this exposure repeatedly appeared across multiple clients (including environments considered up to date).\r\n- In most cases, it was found in typical enterprise infrastructures where WDS had survived several Windows migrations, often within flat or poorly segmented networks, alongside abandoned yet still reachable servers.\r\n\r\n### C. Why It Becomes a Problem and Why It Is Still Here in 2026\r\n\r\n- Common misconfigurations that increase exposure across information systems\r\n- Online tutorials that explain how to use WDS and MDT, but rarely address security implications\r\n- Credentials often stored in deployment workflows to simplify administrative tasks\r\n- Implicit trust placed in the deployment infrastructure for years by sysadmins\r\n- Residual artifacts left behind after partial decommissioning of the WDS role\r\n- Migration complexity and low perceived risk among administrators: managing network-based deployments is operationally complex, and changing solutions requires extensive testing and training\r\n- Reluctance to pay for SCCM or migrate to Intune, a cloud-oriented solution\r\n\r\n## II. Demos\r\n\r\n### A. Reconnaissance Phase\r\n\r\n#### 1. Without Credentials - DHCP & TFTP\r\n\r\n- Simulate a PXE client using a VM or a physical machine, attempt to boot via PXE, and investigate sensitive files (credentials, etc.) exposed over the TFTP protocol (only possible if network segmentation is weak)\r\n- Obtain the PXE server address by requesting it from the DHCP server\r\n\r\n#### 2. With Active Directory Credentials - LDAP or SMB\r\n\r\n##### LDAP Object Enumeration to Retrieve the PXE Server\r\n\r\n- Practical techniques for enumerating WDS-related objects in Active Directory (when domain-integrated)\r\n\r\n##### SMB Enumeration\r\n\r\n- Discovery of SMB shares whose names almost never change: `REMINST\\` (readable by any authenticated domain user by default, and considered normal behavior) or `DeploymentShare$\\` (usually restricted to the local admin and, in practice, to domain administrators as well)\r\n- Why SMB is often more practical than TFTP from an attacker\u2019s perspective when targeting a WDS server\r\n\r\n### B. Exploitation - Manual\r\n\r\n#### 1. Direct Credential Extraction\r\n\r\n- Direct access to deployment configuration and automation files that may contain credentials\r\n\r\n#### 2. Offline Image Abuse\r\n\r\n- Inspection of `.wim` images when no credentials are exposed in accessible shares (focus on the WinPE image) \r\n- Local extraction and file system reconstruction for credential hunting\r\n\r\n#### 3. Supply Chain Attack - Misconfigured deployment server in production you said?\r\n\r\nAttack surface:\r\n\r\n- Misconfigured `DeploymentShare$\\` with read and write access for all domain users\r\n- Ability to modify existing deployment scripts (Malicious code execution during the next deployment cycle without creating a new task sequence)\r\n\r\n### C. Exploitation \u2013 Partially Automated\r\n\r\n- Introducing the module wds_mdt from nxc (NetExec) \r\n- Brief overview of other existing tools\r\n- Step-by-step demonstration with sequential screenshots of the attack workflow\r\n\r\n## III. What About Detection?\r\n\r\n- Why standard EDR/XDR solutions usually do not generate alerts\r\n- Operations resemble legitimate administrative activity\r\n- Only noisy behavior, such as large SMB scans to locate the `REMINST\\` share, tends to trigger detection\r\n- Logging blind spots in both Windows and network monitoring\r\n- How detection and logging can be improved, and what preventive measures can be implemented\r\n\r\n## IV. Remediation and Defensive Guidance\r\n\r\n- Fully decommission or isolate the WDS server (if WDS is no longer used)\r\n- Clean up deployment share files, including `REMINST\\` and `DeploymentShare$\\`\r\n- Use a dedicated network segment for PXE traffic in any case\r\n- Deploy a dedicated DHCP server isolated from the main DHCP infrastructure\r\n- Consider migrating to MECM or third-party solutions such as Ivanti or FOG Project\r\n\r\n## V. Takeaways\r\n\r\n- WDS remains widely overlooked in many enterprise environments, which makes it a particularly valuable Active Directory pivot point from an attacker\u2019s perspective.\r\n- Deployment SMB shares and associated WinPE images frequently expose credentials or sensitive configuration data, even in infrastructures considered mature or up to date.\r\n- Removing the WDS role alone does not eliminate the risk. Residual deployment shares and legacy configuration artifacts must also be audited and cleaned.\r\n- Most abuse scenarios rely on legitimate protocols and expected administrative behavior. In practice, this type of activity has never triggered an EDR or XDR alert during real-world engagements.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PTFNSE", "name": "Geoffrey Sauvageot-Berland", "avatar": null, "biography": "I am an engineer in computer science and cybersecurity with a generalist background. Initially a systems and network administrator, I am currently working as a pentester at Orange Cyberdefense, specializing in offensive security. I also teach as a lecturer at CPE Lyon and occasionally share technical content through my blog \u201cLe Guide du SecOps\u201d.", "public_name": "Geoffrey Sauvageot-Berland", "guid": "c29a7c20-519e-5b45-878d-3cfb3b4b10b2", "url": "https://cfp.troopers.de/tr26-cfp/speaker/PTFNSE/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/", "attachments": []}, {"guid": "1d8b0990-9d87-5eac-a6f7-b70fa11e17ed", "code": "G8FH3R", "id": 386, "logo": null, "date": "2026-06-24T18:15:00+02:00", "start": "18:15", "duration": "00:30", "room": "Track 2", "slug": "tr26-cfp-386-from-packets-to-intent-hunting-adversaries-in-ai-telemetry", "url": "https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/", "title": "From Packets to Intent: Hunting Adversaries in AI Telemetry", "subtitle": "", "track": "Defense & Management", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "As AI systems become part of critical products and workflows, they introduce a new security surface where attacks happen through language. In traditional security domains, threat hunting focuses on signals such as network ports, traffic patterns, or system activity. In AI security, the signals are different. Instead of packets and processes, defenders analyze text interactions with models to identify malicious intent.\r\n\r\nEffective threat hunting in AI systems requires more advanced tools. Signals hidden within natural language often require analyzing text using tools such as embedding models and perplexity to surface suspicious intent and anomalous behavior. In this talk we demonstrate a novel approach for conducting effective threat hunting in AI driven applications.", "description": "AI security changes the defender\u2019s job, the attack surface is no longer limited to hosts, identities, and network traffic. When language becomes the interface to business logic, data access, and automated actions, malicious behavior can look like normal user interaction unless you know what to look for.\r\n\r\nThis talk focuses on threat hunting in AI systems from a practical security perspective. It examines the signals defenders can use when investigating text driven attacks, including prompt structure, semantic similarity, anomalous intent, embeddings, perplexity, and suspicious workflow patterns across models, tools, and retrieval layers.\r\n\r\nThe talk will also cover concrete attack scenarios such as prompt injection, abuse of agent capabilities, and attempts to extract sensitive information through model interaction. The goal is to show how defenders can move from generic AI security concerns to usable hunting methods and detection strategies that work in production environments.", "recording_license": "", "do_not_record": false, "persons": [{"code": "VNG97J", "name": "Raz Tel-Vered", "avatar": null, "biography": "Raz is a technological leader specializing in research and development of production grade solutions at the intersection of AI and cybersecurity. He has developed innovative solutions for addressing advanced security challenges and leveraging AI to detect and mitigate sophisticated threats. \r\nRaz currently works at Zenity, where he focuses on defining and advancing the field of AI Agents security. With extensive hands on experience in data, AI, modern cybersecurity techniques and real world threat detection, he brings a unique blend of technical depth, innovation, and practical impact to securing AI driven environments.", "public_name": "Raz Tel-Vered", "guid": "7e27a922-83dc-5d65-b7d8-5d4445883e13", "url": "https://cfp.troopers.de/tr26-cfp/speaker/VNG97J/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/", "attachments": []}], "Track 3": [{"guid": "4b6127c7-4049-572f-9d98-da871a9b03b5", "code": "Q8YBDC", "id": 496, "logo": null, "date": "2026-06-24T10:30:00+02:00", "start": "10:30", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-496-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/", "title": "Coffee Break", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/", "attachments": []}, {"guid": "3ed8be56-892d-5e53-bdfe-f5669ee3abf4", "code": "JZ8Z3D", "id": 341, "logo": null, "date": "2026-06-24T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-341-get-in-loser-we-re-upgrading-the-internet-lessons-from-deploying-post-quantum-cryptography-across-akamai-s-global-content-delivery-network", "url": "https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/", "title": "Get in Loser, We're Upgrading the Internet -- Lessons from Deploying Post-Quantum Cryptography across Akamai's global Content Delivery Network", "subtitle": "", "track": "Defense & Management", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "The adoption of Post-Quantum Cryptography (PQC) is in full swing, and many cryptographic toolkits and libraries now support both pure and hybrid PQC algorithms like X25519MLKEM768.  But what does it look like to integrate PQC into a global CDN infrastructure to protect a significant chunk of all internet traffic?  In this talk, I will discuss the lessons from leading the PQC adoption program at Akamai and deploying quantum security at internet scale, including key exchange algorithm selection, the impact of the increased key sizes on performance and time-to-first-byte, as well as what lies beyond just the TLS key exchange bits most of us are currently focused on.", "description": "NIST standardized the first post-quantum cryptography algorithms in 2024, and browsers quickly followed with the adoption of the hybrid X25519MLKEM768 TLS 1.3 key exchange.  Government around the world have since laid out timelines for the adoption of quantum-safe technologies with a time horizon of 2030-2035, meaning at this point it is almost irrelevant whether or not an actual Cryptographically Relevant Quantum Computer (CRQC) will manifest before then: huge industry sectors subject to compliance requirements will need to overhaul their entire crypto stack in the next 10 years.  If you have any experience working in these industries, that is not a very long time.\r\n\r\nAcross the industry, several large infrastructure service providers have already moved to X25519MLKEM768.  One of them is Akamai, who provide one of the world's largest content delivery networks serving a significant portion of all internet traffic for thousands of customers across all verticals.\r\n\r\nRolling out post-quantum cryptography across Akamai's CDN was a multi-year effort that required careful balancing of customer requirements, client capabilities, collaboration within the IETF and our industry peers, and consideration of performance impact and standards compliance across multiple legs of the common TLS connections involved in a CDN.\r\n\r\nIn this talk, I will discuss the lessons learned, including key exchange algorithm selection, the impact of the increased key sizes on performance and time-to-first-byte, how to get the buy-in from your executives to fund such a large program as well as how to nudge your more conservative customers and help them in the adoption.\r\n\r\nIn addition, I'll give a look ahead at what's next within the industry with respect to PQC, including the many places where TLS is used outside of an HTTPS context, what the deployment of post-quantum certificates will look like, and where else in your infrastructure you need to pay attention.", "recording_license": "", "do_not_record": false, "persons": [{"code": "F8BVDP", "name": "Jan Schaumann", "avatar": null, "biography": "Jan Schaumann is an accidental information security professional, currently working as Chief Information Security Architect at Akamai, an Adjunct Professor of Computer Science at Stevens Institute of Technology, and Actual Human on the Internet with more than 25 years of experience ignoring all previous instructions and building and securing high-availability services at internet scale. His broad interests include all areas of information security and the overall health of the internet, as well as the safety and privacy of its users.\r\n\r\nChances are you've interacted directly or indirectly with code, sites, and systems on the internet that he has touched. (He'd like to apologize for any inconveniences this may have caused.)\r\n\r\nYou can follow Jan on [Mastodon](https://mstdn.social/@jschauma/) and catch some of his articles from his [blog](https://www.netmeister.org/blog/).", "public_name": "Jan Schaumann", "guid": "1f2bdb35-55a7-5cec-9675-9473427ef64f", "url": "https://cfp.troopers.de/tr26-cfp/speaker/F8BVDP/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/", "attachments": []}, {"guid": "71b7f24d-dc80-520a-a541-7c88bbe9f619", "code": "WZ9YRV", "id": 467, "logo": null, "date": "2026-06-24T12:00:00+02:00", "start": "12:00", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-467-our-journey-from-sbom-to-assbomb", "url": "https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/", "title": "Our Journey, from SBOM to ASSBOMB", "subtitle": "", "track": "Defense & Management", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "This talk is about the nasty corner cases in generating an SBOM. A noble and justified demand, by both customers as well as regulators alike, but with so many more obstacles than initially expected. We were naive. We thought \"how hard can it be to list all software components in a product?\".\r\n\r\nWith increasing regulatory demand i.e., the cyber resilience act, we would like to share some of the observations we made. Some of the challenges we encountered will seem familiar to people working on the subject, some may be completely new for you. They will cover legacy software, how naming things can be hard, technical debt, issues with the NIST CVE data enrichment (or lack thereof), and more.\r\n\r\nSpoiler: AI won't help you here.", "description": "ASSBOMB is the *automotive security & software bill of material*.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MWERYW", "name": "Martin Schmiedecker", "avatar": null, "biography": "Automotive security by day, online privacy by night. Digital forensics & teaching it in between. Too many projects for too little time \u2026", "public_name": "Martin Schmiedecker", "guid": "c3d4327a-7854-5914-b79a-a5307a575ac3", "url": "https://cfp.troopers.de/tr26-cfp/speaker/MWERYW/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/", "attachments": []}, {"guid": "c672cca0-f1c1-58df-9021-0e685ec538d5", "code": "REMT7R", "id": 502, "logo": null, "date": "2026-06-24T13:00:00+02:00", "start": "13:00", "duration": "01:15", "room": "Track 3", "slug": "tr26-cfp-502-lunch-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/REMT7R/", "title": "Lunch Break", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/REMT7R/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/REMT7R/", "attachments": []}, {"guid": "6ced0e2e-7fa0-5924-9530-62bb7259edaa", "code": "FNNPCB", "id": 517, "logo": null, "date": "2026-06-24T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-517-coming-soon", "url": "https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/", "title": "Coming soon :)", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "<!-- -->", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/", "attachments": []}, {"guid": "188990d8-ffdc-536c-82b1-8ebcdf3a4553", "code": "F3XCER", "id": 373, "logo": null, "date": "2026-06-24T15:15:00+02:00", "start": "15:15", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-373-breaking-the-control-plane-exploiting-mcp-servers-in-ai-workflows", "url": "https://cfp.troopers.de/tr26-cfp/talk/F3XCER/", "title": "Breaking the Control Plane: Exploiting MCP Servers in AI Workflows", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Model Context Protocol (MCP) servers are rapidly becoming the integration layer between AI agents and real-world systems. They connect models to ticketing platforms, source control, CI/CD pipelines, internal APIs, and local files, often running with production credentials and network reach.\r\n\r\nDespite this, MCP servers are frequently deployed as \u201cdeveloper tooling,\u201d bound to 0.0.0.0, and rarely threat-modeled as infrastructure.\r\n\r\nIn this talk, we present offensive research into the MCP ecosystem and demonstrate how classic vulnerability classes become significantly more impactful when placed inside agent-driven automation layers.\r\n\r\nThrough real-world case studies, including critical vulnerabilities affecting a widely deployed Atlassian MCP server (4M+ downloads), we show how network-reachable services can be coerced into outbound pivoting, filesystem control, and full remote code execution.", "description": "This talk presents a systematic offensive analysis of open-source MCP servers and their deployment patterns.\r\n\r\nMCP servers are increasingly embedded in AI workflows to bridge agents with external systems. In practice, they:\r\n\r\n- Hold API tokens and personal access tokens\r\n- Perform outbound HTTP requests\r\n- Read and write to local filesystems\r\n- Execute privileged automation steps\r\n- Are often bound to 0.0.0.0 by default\r\n\r\nThe research focuses on:\r\n- Control-plane override via header injection: Demonstrating how unvalidated service URL headers allow attackers to redirect outbound requests, bypassing intended configuration boundaries.\r\n\r\n- Chaining SSRF into filesystem primitives: Turning outbound request control into arbitrary file write capabilities under realistic deployment conditions.\r\n\r\n- Privilege amplification in agent-driven systems: How automation workflows amplify classical primitives into infrastructure-level compromise.\r\n\r\n- Middleware and dependency-layer attack surfaces: Why reviewing tool handlers is insufficient when trust boundaries are broken earlier in the request lifecycle.\r\n\r\nAs a concrete example, we will present two critical CVEs we disclosed in a widely used Atlassian MCP server that enable an unauthenticated SSRF -> arbitrary file write -> RCE chain (CVE-2026-27825, CVE-2026-27826)\r\n\r\nBeyond individual bugs, we show recurring structural weaknesses across MCP servers and explain why they are likely to become attractive lateral movement and pivot targets in enterprise AI environments.", "recording_license": "", "do_not_record": false, "persons": [{"code": "QWKEXD", "name": "Yotam", "avatar": null, "biography": "Yotam Perkal leads security research at Pluto Security, a next-generation AI security and governance platform designed to protect the rapidly emerging ecosystem of AI builders, low-code/no-code tools, and agentic applications. His work focuses on securing AI-native development environments and building scalable methods for detecting, validating, and mitigating risks in AI-driven software workflows.\r\n\r\nPreviously, Yotam led the Threat Research team at Zscaler, headed the Vulnerability Research team at Rezilion, and held multiple roles within PayPal\u2019s security organization across vulnerability management, threat intelligence, and insider threat.\r\n\r\nYotam is an active participant in several cross-industry working groups dealing with AI security, vulnerability management, and supply chain security.", "public_name": "Yotam", "guid": "20f4df10-34af-5ce8-96b2-f8477e813e9f", "url": "https://cfp.troopers.de/tr26-cfp/speaker/QWKEXD/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/F3XCER/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/F3XCER/", "attachments": []}, {"guid": "29f36b8c-01ba-508f-bed6-875f4fb64c99", "code": "F9ANPZ", "id": 495, "logo": null, "date": "2026-06-24T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-495-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/", "title": "Coffee Break", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/", "attachments": []}, {"guid": "dc67b273-42ad-55a5-973f-236c8cec3778", "code": "CSA7WS", "id": 451, "logo": null, "date": "2026-06-24T16:45:00+02:00", "start": "16:45", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-451-every-component-passed-review-so-how-did-the-agent-exfiltrate-everything", "url": "https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/", "title": "Every Component Passed Review \u2014 So How Did the Agent Exfiltrate Everything?", "subtitle": "", "track": "Defense & Management", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Organizations are rolling out Copilot, custom agents, and MCP-based tool integrations. Their security teams keep doing what they've always done: decompose the system into components, assess each one, check the boxes. The problem is that agentic AI attacks don't stay inside those boxes. A retrieved document biases the planner, the planner picks the wrong tool, the tool acts on stale permissions, a second agent trusts the output without verification. We've seen this play out in real incidents: zero-click prompt injection in enterprise copilots, indirect data exfiltration through tool chains. Every component passes its security review. The attack path between them does not.\r\n\r\nThis talk introduces a five-zone decomposition for agentic AI architectures: input surfaces, planning and reasoning, tool execution, memory and state, and inter-agent communication. These five zones describe where attacks enter the agent loop and how they cross trust boundaries that traditional threat models treat as separate concerns.\r\n\r\nI walk through three scenarios: RAG pipeline poisoning, tool-integration supply-chain attacks via MCP (Model Context Protocol), and multi-agent goal cascades. For each one, I show how to trace cross-zone attack paths and build attack trees that capture the propagation your current reviews miss. Each scenario maps to OWASP Top 10 for LLM and Agentic AI Applications controls with concrete mitigations.\r\n\r\nYou leave with a seven-step methodology, a threat-zone mapping template, a cross-zone attack-path checklist, and worked attack trees. Artifacts your team can apply to your own agentic AI deployments the following week.", "description": "Standard security reviews look at agentic AI components one at a time. Real attacks chain across trust boundaries between retrieval, planning, tool execution, memory, and inter-agent communication. This talk presents a five-zone decomposition and a seven-step methodology for tracing cross-boundary attack chains in agentic AI systems. Three worked scenarios (RAG poisoning, MCP tool-integration supply-chain attacks, multi-agent cascades) with attack trees, mapping templates, and OWASP-aligned mitigations you can apply to your own deployments.\r\n\r\n**Key takeaways:**\r\n\r\n- A five-zone decomposition that extends existing threat modeling practice to agentic AI architectures\r\n- Worked cross-zone attack paths grounded in real-world attack patterns\r\n- A seven-step methodology and ready-to-use templates to find attack chains your current reviews miss\r\n- Agentic AI attack patterns mapped to OWASP controls with concrete mitigations\r\n\r\n**Target audience:** Security architects, blue team leads, and security managers evaluating or deploying agentic AI systems\r\n\r\n**Level:** Intermediate\u2013Advanced", "recording_license": "", "do_not_record": false, "persons": [{"code": "LV9LD7", "name": "Christian Schneider", "avatar": null, "biography": "Christian Schneider is a security architect, pentester, and trainer helping development teams integrate threat modeling into engineering workflows. He advises organizations adopting agentic AI and builds threat models that reveal cross-boundary attack paths. His work bridges offensive security and architecture: finding systemic gaps and helping teams close them.", "public_name": "Christian Schneider", "guid": "3fffaab1-f33e-5e74-bcf5-3e48c555139f", "url": "https://cfp.troopers.de/tr26-cfp/speaker/LV9LD7/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/", "attachments": []}, {"guid": "b71da09a-fb26-5d32-af77-a315f1a89009", "code": "BFGHNM", "id": 518, "logo": null, "date": "2026-06-24T17:45:00+02:00", "start": "17:45", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-518-coming-soon", "url": "https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/", "title": "Coming soon :)", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "<!-- -->", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/", "attachments": []}, {"guid": "b7ab758b-c459-5be0-84c1-cc7beb4e1ce2", "code": "RRYVJ3", "id": 430, "logo": null, "date": "2026-06-24T18:15:00+02:00", "start": "18:15", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-430-novel-attack-techniques-targeting-the-underlying-infrastructure-of-bedrock-applications", "url": "https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/", "title": "Novel attack techniques targeting the underlying infrastructure of Bedrock applications", "subtitle": "", "track": "Attack & Research", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "There are many attacks, new and old, arising from the push to GenAI. In a world that encourages developers to adopt coding agents, and is shifting to AI enabled workflows, we must ask ourselves \u2013 are we handling the new security risks this introduces? \r\n\r\nAmazon Bedrock is already being utilized across the board in all stages, from the development lifecycle up to production applications, with broad permissions over AWS resources. The rapid growth of Bedrock usage reproduces common configuration patterns that lead to data leaks, destruction, and tampering.  \r\n\r\nIf you are interested in learning about novel attack methods against Bedrock applications across your AWS organization, this talk is for you. You will learn how common misconfigurations in Bedrock can lead to data exfiltration, lateral movement, and security control weakening in your AWS organization. Join us to hear more.", "description": "1. Introduction - 4 minutes \r\n\r\n    In this introduction, we will give a quick overview of Bedrock applications and how they integrate with the AWS ecosystem. In the following sections we will demonstrate novel attack techniques against Bedrock applications and describe possible mitigations. \r\n\r\n    AWS Bedrock has become the go-to managed AI service for enterprises who want to use GenAI in their workflow.  \r\n\r\n    Bedrock's native integration with compute resources, application logic, serverless functions, and cloud storage makes it a capable platform for deploying foundation models at scale. Security research is focused almost exclusively on LLM-layer concerns like prompt injection and jailbreaks, leaving the infrastructure layer largely unexamined.  \r\n\r\n    We will take the audience through practical attack techniques targeting Bedrock-specific configurations and show how attackers are already exploiting the gap between \"we deployed AI\" and \"we secured it\u201d. \r\n\r\n2. How companies misuse Bedrock due to misconceptions in security implementations \u2013 1 minute \r\n\r\n    Many companies use Bedrock with direct data access. Issues begin when they `carelessly` assign permissions, as permissions in Bedrock do not always act as one may think in an AWS multi-tenant environment. \r\n\r\n3. Novel attack methods against Bedrock \u2013 15 minutes \r\n\r\n    a. Accessing production data from development accounts by abusing guardrails \u2013 Everyone uses guardrails in critical Bedrock applications. Guardrail permission policies may lead to data exfiltration and model abuse in unexpected ways when using common configurations.\r\n\r\n    b. Bedrock agents can be abused as a privilege escalation method, exposing its inner workings, and silently `granting` privileges by exposing access keys and other credentials or secrets that it can access. \r\n\r\n4. Conclusions & Takeaways \u2013 5 minutes \r\n\r\n    a. Recap of the attack techniques and mitigation methods. \r\n\r\n    b. Takeaways for architects and security teams.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7VUXDP", "name": "Maya Parizer", "avatar": null, "biography": "Maya Parizer is a Security Researcher at Varonis with a passion for cloud security, identity, and data protection, specializing in IaaS and AI. Maya dives deep into every project, thoroughly investigating cloud environments to uncover potential vulnerabilities and stealthy attack techniques. Her experience spans both offensive and defensive disciplines - including CSPM, DSPM, vulnerability research, detection engineering, and product security research in cloud environments.", "public_name": "Maya Parizer", "guid": "27ab4240-3580-57b5-9e4b-36d67a2eb93a", "url": "https://cfp.troopers.de/tr26-cfp/speaker/7VUXDP/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/", "attachments": []}]}}, {"index": 2, "date": "2026-06-25", "day_start": "2026-06-25T04:00:00+02:00", "day_end": "2026-06-26T03:59:00+02:00", "rooms": {"Track 1": [{"guid": "fe30ec04-697e-5109-9dc9-c908d54f362e", "code": "8MDPWZ", "id": 360, "logo": null, "date": "2026-06-25T10:00:00+02:00", "start": "10:00", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-360-watch-your-kids-hacking-children-s-smartwatches", "url": "https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/", "title": "Watch Your Kids: Hacking Children's Smartwatches", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Do you know where your children are? Are you sure? Join us as we take apart the smartwatches worn by millions of kids around the world. We'll cover everything including initial access, firmware and protocol reversing, remote child teleportation, and how to get vendors to listen to you.", "description": "If you're paying attention, you'll notice that more and more young children are running around with smartwatches on their wrists (perhaps yours, too?). Sold by major mobile network operators and advertised on the subway, these watches promise a safe introduction into the digital world, a step before the first smartphone with its dangerous algorithms and the wide open Internet.\r\n\r\nFor kids, these watches boast fun games and colorful designs, while parents get a way to call, text, and locate their child at any time.\r\n\r\nWith nothing less than their children at stake, parents rightfully worry about safety and security. The website of leading Norwegian children's watch developer Xplora is full of promises offering just that: Total safety and peace of mind, European privacy, GDPR compliance, and German datacenters far away from Big Tech.\r\n\r\nBut how much are these claims really worth?\r\n\r\nWe take you along the process of hacking one of the most popular children's watches out there, from gaining initial access to running our own code on the watch. Along the way, we find critical security issues at every turn. Our PoC attacks allow us to read and write messages, virtually abduct arbitrary children, and take control over any given watch.\r\n\r\nWe also give you a detailed look into the vulnerability disclosure process, with many false starts, curious fixes, and tips for how to get vendors to listen. Finally, we'll look at what changed in the aftermath of our disclosure and if parents can really sleep soundly now.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WLFQLV", "name": "Nils Rollshausen", "avatar": null, "biography": "Somehow \u2014 and without ever having owned more than an iPod \u2014 Nils fell down the Apple rabbit hole and now spends their days reverse-engineering Apple's devices and uncovering the bits of magic hiding inside the machines that surround us every day. They are interested in all things privacy & security and like to build new things every now and then, instead of only breaking what's already there. Currently, they are pursuing a PhD in computer science at the Secure Mobile Networking Lab (SEEMOO) of TU Darmstadt.", "public_name": "Nils Rollshausen", "guid": "2598d4ba-38dc-551f-9a61-1318e01aea35", "url": "https://cfp.troopers.de/tr26-cfp/speaker/WLFQLV/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/", "attachments": []}, {"guid": "d5a58354-c28b-58f5-8fdd-07c74eea16a3", "code": "UZR8NA", "id": 474, "logo": null, "date": "2026-06-25T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-474-whatsapp-view-once-four-exploits-and-a-funeral", "url": "https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/", "title": "WhatsApp View Once: Four Exploits and a Funeral", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "With 3 billion active users spanning every geography, age group, and technical sophistication level, WhatsApp carries more private human communication than any platform in history. View Once is its promise to journalists, activists, abuse survivors, and ordinary users that sensitive media will be seen once and disappear forever.\r\nWe broke that promise. Four times.\r\nOver two years of research and responsible disclosure, we dismantled View Once through four successive exploits, each one forcing a deeper dive into WhatsApp's internal architecture: E2EE encryption with the Signal Protocol's Double Ratchet algorithm, multi-device support with the Sesame Algorithm, and WhatsApp's inter-device Sync protocol. We detail these exploits technically and walk through the disclosure process and its outcomes. The first three were properly fixed. WhatsApp surprisingly gave up on fixing the fourth.\r\nThe talk is deeply technical, but the deepest finding is not. This inconsistency stems from a single methodological flaw: no defined security model for View Once. Without a target, every failure becomes a \"best effort\" shrug. We call this Cheshire Cat Security. When you don't know where you're going, any road gets you there.\r\nWe close by proposing a relevant security model for View Once, articulating what we believe it should defend against, what should be explicitly scoped out, and how existing DRM technology already provides the foundation to build it right.", "description": "&nbsp;", "recording_license": "", "do_not_record": false, "persons": [{"code": "MSQ9MB", "name": "Tal Be'ery", "avatar": null, "biography": "Tal Be'ery is the Co-Founder and CTO of ZenGo, securing crypto assets with the ZenGo Wallet mobile app. Tal is a cyber-security researcher, returning speaker in the industry's most prestigious events, including Black Hat and RSAC and a member of Facebook's exclusive WhiteHat list. For the last two decades, Tal had built and led a few Cyber-Security R&D teams, mostly in the field of network monitoring solving various security problems. Previously, Tal has led research for Aorato (acquired by Microsoft) as VP for Research. Tal holds M.Sc. and B.Sc degrees in CSEE from TAU and a CISSP certification", "public_name": "Tal Be'ery", "guid": "93a2f5d8-bedc-5513-b284-330da318dbf5", "url": "https://cfp.troopers.de/tr26-cfp/speaker/MSQ9MB/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/", "attachments": []}, {"guid": "64b25b56-2860-5076-855e-a9174510c89e", "code": "SBQMZU", "id": 505, "logo": null, "date": "2026-06-25T12:00:00+02:00", "start": "12:00", "duration": "01:15", "room": "Track 1", "slug": "tr26-cfp-505-lunch-break-charity-auction", "url": "https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/", "title": "Lunch Break + Charity Auction", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/", "attachments": []}, {"guid": "a88b98d3-5507-5d34-8246-6901e9735e5e", "code": "QADSVY", "id": 469, "logo": null, "date": "2026-06-25T13:15:00+02:00", "start": "13:15", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-469-a-sim-hacking-odyssey-can-a-sim-hack-you", "url": "https://cfp.troopers.de/tr26-cfp/talk/QADSVY/", "title": "A SIM Hacking Odyssey: Can a SIM hack YOU?", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "This talk shows our 4-year long journey of investigating SIM-originating attacks. We discovered multiple vulnerabilities across a myriad of devices ranging from phones to car chargers. The highlighted attacks include privacy leaks, corrupted memories in basebands, lockscreen bypasses and other logic bugs allowing us to control modems in unexpected ways.\r\n\r\nBeyond these attacks, we discuss the tooling we built along the way and provide an outlook into the future research of this attack surface.", "description": "All mobile devices connected to contemporary cellular networks must contain a SIM card, be it a removable plastic card, or an embedded SIM (eSIM). Mobile device vendors, and users of these devices, seldom question the trust put into the SIM card and the physical interface they plug into. The result is an interface with an ever-growing complexity, and an assortment of unsafe-by-design, legacy features that remained from the early-days when they may have been useful for delivering certain carrier services to under-powered \u201cdumb\u201d devices.\r\n\r\nIn this presentation, we describe our chronological exploration of various aspects of the SIM-ME (mobile equipment) interface. While earlier work already demonstrated the potential dangers of this attack surface, we found tooling and public information on the topic to be sparse, motivating us to dive deep into the topic.\r\n\r\nTo reduce the barrier of entry, we developed open-source research tooling, beginning with SIMurai. The framework combines a smart card emulation framework with a SIM emulator built on top of it, and allows us to explore the attack surface without the need of physical (research) SIMs. We integrated SIMurai with baseband firmware emulation to enable fuzz testing, which led us to the discovery of three vulnerabilities. We were also able to reimplement existing attacks such as SIMJacker-style location stealing. Extending the insights gained from emulation, we also explored the facilities available to hostile SIM applets and malicious SIM interposers. \r\n\r\nMost recently, we developed CATana to explore the RUN AT proactive command, i.e., a specification-defined feature to allow SIM cards to issue AT commands directly to the ME. An exploration of phones and IoT modems revealed that despite little legitimate use cases, running AT commands provided by the SIM is supported on various devices. To highlight the threats posed by this interface, we developed a range of attacks. To gauge how these attacks would look in production, when victim devices are connected to real cellular networks, we extend our existing frameworks with interposing capabilities.\r\n\r\nLastly, we look into the future of SIM-originating attacks with our SIMcurity project. We actively develop new tooling, such as SIMuscope, and provide an outlook on the new research directions we want to enable. Overall, we hope to encourage members of the community to take part in exploring and securing this ubiquitous technology.", "recording_license": "", "do_not_record": false, "persons": [{"code": "STVW73", "name": "Tomasz Lisowski", "avatar": null, "biography": "Tomasz Lisowski is a PhD student at the University of Birmingham who is actively exploring the security of cellular technologies, in particular, SIM cards. This resulted in an ever-growing range of open-source tools, demos, and experiments involving SIM cards and the cellular devices they are connected to.", "public_name": "Tomasz Lisowski", "guid": "f13697e2-678d-54ca-9224-890f800dab6c", "url": "https://cfp.troopers.de/tr26-cfp/speaker/STVW73/"}, {"code": "8NKALJ", "name": "Marius Muench", "avatar": null, "biography": "Dr.Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as a postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands.\r\n\r\nThroughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, DEFCON, Reverse.io, REcon, and Hardwear.io.", "public_name": "Marius Muench", "guid": "f3c3f333-b481-5608-a11d-8475e883e0cf", "url": "https://cfp.troopers.de/tr26-cfp/speaker/8NKALJ/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/QADSVY/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/QADSVY/", "attachments": []}, {"guid": "a614b939-5757-5c5f-b39e-847007698bb2", "code": "BYWYCQ", "id": 459, "logo": null, "date": "2026-06-25T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-459-v2x-wardriving-they-drive-we-listen", "url": "https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/", "title": "V2X Wardriving - They Drive, We Listen", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "In this talk we explore the prevalence of Vehicle-to-Everything (V2X) capabilities in modern cars, the deployment of active infrastructure components, the types of exchanged messages, and associated privacy and security concerns. We explain C-ITS standards in Europe, how to use off-the-shelf components to research protocols, present the tooling we developed and share discoveries and areas for further exploration.", "description": "The concept of Vehicle-to-Everything (V2X) has been circulating for years. It envisioned vehicles coordinating traffic among each other, traffic lights signalling green light phases and road signs warning drivers of road works even before the driver could see them. It turns out this vision quietly turned into reality in recent years: Many newer cars now feature Cooperative Intelligent Transport Systems and Services (C-ITS), meaning they have some ability to communicate with each other (Vehicle-to-Vehicle/V2V) or with the infrastructure around them (Vehicle-to-Infrastructure).\r\nBut, how many cars are actually driving (on German roads) with such features enabled? Are there already any infrastructure components deployed which communicate actively? What kind of messages are exchanged if any? Are there privacy issues? What is the potential for attacks?\r\nTo answer those questions, we dived into C-ITS standards implemented in Europe and how to use off-the-shelve components to research the protocols. In this talk, we will share our learnings about the protocols, explain how to build a setup for researching V2X for Europe, present our tooling we developed, and discuss what we discovered and what remains to be explored.\r\n\r\n## Agenda\r\n1. Motivation - Goals of V2X and History\r\n2. Introduction into C-ITS \r\n\t1. Competing Standards\r\n\t2. C-ITS Architecture\r\n\t\t1. Roles\r\n\t\t2. Packet Structure \r\n\t\t3. Types of Messages\r\n\t3. C-ITS Security & Privacy Considerations\r\n3. V2X Wardriving\r\n\t1. Hardware/Software Setup\r\n\t\t1. Hardware\r\n\t\t2. Software\r\n\t\t\t1. Available Open Source Software\r\n\t\t\t2. Custom C-ITS Stack with Scapy\r\n\t\t\t3. Analysis\r\n\t\t\t\t1. Map\r\n\t\t\t\t2. Possible Identification of Vehicle Models\r\n\t\t\t\t3. Other Observations\r\n4. What's Next: Security Testing of C-ITS\r\n\t1. Approaches for Protocol Fuzzing\r\n\t2. Limitations", "recording_license": "", "do_not_record": false, "persons": [{"code": "HLHUJC", "name": "Dieter Schuster", "avatar": null, "biography": "Dieter has worked for over 15 years in embedded security at Fraunhofer AISEC.  Over the last decade he\u2019s specialised in automotive security and vehicle penetration testing.", "public_name": "Dieter Schuster", "guid": "6943fda6-ccd8-554d-9def-deb715d3dce2", "url": "https://cfp.troopers.de/tr26-cfp/speaker/HLHUJC/"}, {"code": "U7HYY9", "name": "Nikolai Puch", "avatar": null, "biography": "Nikolai Puch is a research associate and penetration tester at Fraunhofer AISEC, as well as a PhD candidate at the Technical University of Munich, focusing on secure and usable solutions for tooling machines. As a penetration tester, he specializes in the various wireless interfaces of vehicles.", "public_name": "Nikolai Puch", "guid": "795b2cc8-b1c2-5992-858f-32ad19339cc3", "url": "https://cfp.troopers.de/tr26-cfp/speaker/U7HYY9/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/", "attachments": []}, {"guid": "5aa320dd-345c-56b0-9916-5f2ab7ca786e", "code": "GUKGL8", "id": 492, "logo": null, "date": "2026-06-25T15:15:00+02:00", "start": "15:15", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-492-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/", "title": "Coffee Break", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/", "attachments": []}, {"guid": "99e22961-8edc-513d-9e2b-da036f34d261", "code": "FB8PAJ", "id": 438, "logo": null, "date": "2026-06-25T15:45:00+02:00", "start": "15:45", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-438-counteroffensive-ai-pwning-ai-pentesters", "url": "https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/", "title": "Counteroffensive AI: Pwning AI Pentesters", "subtitle": "", "track": "Attack & Research", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "AI-powered pentesting is the latest hype. Slap an LLM agent on top of well-known offensive\r\ntools built by humans in their free time, run it in YOLO mode, and call it autonomous security\r\ntesting. Valuations are going through the roof!\r\nHere is the thing though: these agents consume untrusted input from the very targets they are\r\ntesting by design.\r\n\r\nCurrent discourse around AI agent security focuses on prompt injection through direct\r\ninteraction. But what about the agent's environment itself? What happens when the attack\r\nsurface the agent is exploring has been prepared by an adversary? What if the authentication\r\nservice referenced in that one GitHub issue is actually a honeypot?\r\nIn this presentation we will demonstrate a complete attack framework against AI pentesting\r\nagents and release it as open source. We show how to inject tracking payloads at scale into any\r\nplatform with user-generated content, operate fake services that capture credentials from AI\r\nagents, and turn every future AI pentest engagement against a sprayed target into a passive\r\ncredential harvesting fest. No ongoing effort required, no exploits needed. The AI leaks to us,\r\nfully automated!\r\n\r\nThe attacker does not need to talk to the agent. They just leave breadcrumbs where the agent\r\nwill find them during reconnaissance. A hint about a backup authentication endpoint in a GitHub\r\nissue. A debug configuration in a support ticket. SSO metadata in a user profile bio. The agent\r\ndiscovers these reasons they are worth investigating, and acts on them with whatever\r\ncredentials and access it was given.\r\n\r\nSSO authentication is a particularly brutal example because determining if they are in-scope is\r\ndifficult: When logging in, anyone must follow OAuth/OIDC redirects to external domains to test\r\nauthenticated applications, and they need to be told how do distinguish a legitimate Identity\r\nProvider from a fake one we planted in user content.\r\n\r\nBut SSO is just one instance of the fundamental problem: the AI makes decisions based on\r\ncontent it should not trust, and no amount of prompt engineering changes unless you know in\r\nadvance what the target will look like. We want to shed some light on the complications that\r\narise when putting AI literally to the test!", "description": "1. The Promise vs. The Problem \r\nState of AI pentesting: what vendors claim, how agents actually work under the hood (LLM + tool\r\nchain + YOLO execution). Quick demo: AI agent solving a pentest challenge (GOAD cyberrange),\r\nfinds file with password hint, tries credentials everywhere. Who placed that file? Core observation:\r\nagents consume untrusted input from the target and make autonomous decisions. This is the attack\r\nsurface. Transition: forget prompt injection, what if the environment itself is hostile?\r\n\r\n2. The SSO Dilemma \r\nHow SSO works in 60 seconds: OAuth2/OIDC/SAML flow, redirects to external IdP, token\r\nexchange. Why AI agents MUST follow SSO redirects: cannot test authenticated apps otherwise,\r\nthis is table-stakes functionality. The catch-22: agents cannot distinguish legitimate IdPs from\r\nattacker-controlled ones discovered in user content. Walk through failed mitigations: IdP\r\nallowlisting (fails for custom/internal IdPs), redirect-origin checking (fails for undocumented\r\nservices), prompt engineering (agent still cannot verify domain legitimacy), human confirmation\r\n(defeats autonomy). Key insight: this is architectural. The feature is the vulnerability. No amount of\r\nguardrails fix this without removing the capability vendors are selling.\r\n\r\n3. Attack Framework: Architecture & Components \r\nHON-AI \u2014 The Fake Identity Provider: Full OAuth2/OIDC/SAML implementation that looks and\r\nresponds like real IdPs. Endpoint coverage: OIDC discovery, OAuth authorize/token/userinfo, Okta\r\nprimary auth + MFA verify, SAML metadata/SSO, ADFS, Azure AD-style. Credential capture:\r\nusernames, passwords, client secrets, MFA codes, bearer tokens, full request logging. Response\r\nstrategy: returns plausible errors (\"password expired\", \"MFA required\") to encourage agents to\r\nretry with different credentials or escalate. Domain generation: sso.target.com.attacker.net,\r\ntarget.okta.attacker.net, login.target.microsoftonline.attacker.net.\r\nUZI: The Mass Reference Injector: Automated injection of fake SSO references into user\r\ngenerated content: GitHub issues, forum posts, support tickets, user profile bios, wiki pages,\r\ncomments. Payload templates per IdP style: OIDC discovery URLs, Okta-style auth, Azure AD,\r\nAuth0, SAML metadata, ADFS. Canary ID system: unique tracking identifiers embedded in URL\r\npaths for per-target attribution. Social engineering templates that AI agents find compelling: IT\r\nhelpdesk notices, SSO migration announcements, disaster recovery documentation, staging\r\nenvironment references.\r\n\r\n4. Live Demonstration: Single Target Attack \r\nSet up: target web application with injected SSO references, HON-AI fake IdP running, AI\r\npentesting agent configured with test credentials. Show the injected payloads in context (forum\r\npost, support ticket, user profile). Launch AI pentest, observe agent discover SSO references\r\nduring reconnaissance. Agent reasons about the references, decides to test authentication. Real\r\ntime credential capture on HON-AI: user password, then client secret, then MFA code. Show the\r\ncaptured credentials, demonstrate they are real and usable. Discuss agent behavior: it tried\r\nmultiple credential types across multiple fake endpoints, exactly as designed.\r\n\r\n5. Mass Spray: Harvesting at Scale\r\nEconomics of the attack: spray 10,000 targets once, harvest credentials as AI pentests happen over\r\nmonths. Canary-tracked URL structure: path-embedded IDs map captured credentials back to\r\nspecific targets. UZI mass mode demonstration: generating and injecting payloads across many\r\ntargets. HON-AI collection dashboard: credentials arriving over time, attributed to targets via\r\ncanary IDs. The compounding problem: as AI pentest adoption grows, the value of pre-planted\r\ncanaries increases. Canary propagation: injected references can spread through document\r\nindexing, aggregation, and AI-generated summaries.\r\n\r\n6. Implications & The Hard Questions \r\nFor AI pentest vendors: your agents may leak credentials to anyone who plants fake IdP references,\r\nmalicious reverse DNS entries and other honeypot traps. This is not fixable with prompt\r\nengineering alone. Fully autonomous pentesting with SSO support needs security controls and\r\nguardrails beyond what is in place today. For enterprises using AI pentesting: use dedicated\r\npentest-only accounts, rotate credentials immediately after engagement, audit user-generated\r\ncontent for planted references. For red teamers and adversaries: this is a new passive collection\r\ncapability with minimal operational overhead. Broader implications for AI agents in adversarial\r\nenvironments: any agent that acts on discovered content in hostile environments faces the same\r\nclass of problem.\r\n\r\n7. Tool Release & Q&A \r\nOpen-source release of HON-AI, UZI, and the victim-app test harness. Repository URL,\r\ndocumentation, and usage guidance. Responsible disclosure timeline and vendor notification\r\nsummary.", "recording_license": "", "do_not_record": false, "persons": [{"code": "G8CKLU", "name": "Markus Vervier", "avatar": null, "biography": "Markus Vervier is CEO of Persistent Security and Director at X41 D-Sec GmbH, a specialized application security, penetration testing, and red/purple-teaming provider. Over the past 18 years he has worked as a security researcher, code auditor, and penetration tester. His work includes security analysis and reverse engineering of embedded firmware for mobile devices, discovering vulnerabilities in Signal Private Messenger (with JP Aumasson), and finding a remote vulnerability in libOTR. He is currently\r\nactive in the development of offensive security tooling and platforms that break AI security defenses.", "public_name": "Markus Vervier", "guid": "aef7bfc7-270f-5ff2-a597-8eb9b508aaca", "url": "https://cfp.troopers.de/tr26-cfp/speaker/G8CKLU/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/", "attachments": []}, {"guid": "6f9b51a9-d1a6-572b-b97c-b3762c8e7456", "code": "VQRXGH", "id": 465, "logo": null, "date": "2026-06-25T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Track 1", "slug": "tr26-cfp-465-taking-a-bite-at-apple-s-network-stack-reversing-proprietary-multi-device-protocols-with-logfuse", "url": "https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/", "title": "Taking a Bite at Apple's Network Stack: Reversing Proprietary Multi-Device Protocols with logfuse", "subtitle": "", "track": "Attack & Research", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Apple's walled garden consists of various proprietary network protocols. One of them is Low-Latency WiFi (LLW), which enables real-time applications like Sidecar Display or Continuity Camera. This talk walks through how the internals of Low-Latency WiFi were reverse engineered. Alongside that, we publish logfuse, a toolkit combining log information from different devices into a single timeline.", "description": "Reverse engineering proprietary network protocols means dealing with information scattered across log files, kernel traces, and network captures, often generated across multiple devices. Correlating events in these sources has been cumbersome and manual work, although their dependencies often make protocol analysis more conclusive.\r\n\r\nThis talk presents the reverse engineering process of Low-Latency WiFi (LLW), Apple's proprietary link-layer protocol for real-time applications such as Sidecar Display and Continuity Camera, which has remained undocumented in prior reverse engineering of Apple's ecosystem. We walk through how correlating kernel traces, network captures, and system logs across iOS and macOS devices revealed LLW's internals. Alongside this, we publish logfuse, an open-source toolkit that made LLW's internals accessible by aggregating heterogeneous traces from iOS and macOS into a single clock-aligned timeline.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ADVJHS", "name": "Henri J\u00e4ger", "avatar": null, "biography": "Henri is working as a Research Assistant at Hasso Plattner Institute at the Mobile and Wireless Security chair of Jiska Classen. His research focuses on wireless technologies in Apple\u2019s walled garden.", "public_name": "Henri J\u00e4ger", "guid": "74c3d8d6-4d5d-550a-9fec-7895e1276bb2", "url": "https://cfp.troopers.de/tr26-cfp/speaker/ADVJHS/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/", "attachments": []}, {"guid": "a662daa2-8b0b-56f5-922d-8c9d9c93297e", "code": "FXFPSH", "id": 506, "logo": null, "date": "2026-06-25T17:00:00+02:00", "start": "17:00", "duration": "01:00", "room": "Track 1", "slug": "tr26-cfp-506-closing", "url": "https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/", "title": "Closing", "subtitle": "", "track": "Attack & Research", "type": "Special", "language": "en", "abstract": "<!-- -->", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/", "attachments": []}], "Track 2": [{"guid": "1a5f210b-e97a-55e9-ac3a-11abc686f839", "code": "PQJWB7", "id": 405, "logo": null, "date": "2026-06-25T10:00:00+02:00", "start": "10:00", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-405-i-minyourcloudv4final-pdf-hacking-everyone-s-cloud", "url": "https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/", "title": "I'm_in_your_cloud_v4_FINAL.pdf - hacking everyone's cloud", "subtitle": "", "track": null, "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "In 2019 I gave my first public conference talk here at TROOPERS, titled \"I'm in your cloud\", covering hybrid Active Directory and Azure AD environments. Little did I know that this would be the start of a much bigger research project that covered many more aspects of Azure AD, or Entra ID as it is called these days. Eventually this analysis of hybrid AD/Entra ID led to the discovery of Actor Tokens, and with that the only CVSS 10.0 CVE ever issued for the identity system of a major cloud provider.\r\n\r\nIn this talk I will go through the history of hybrid AD/Entra ID vulnerabilities that were there since my first talk at TROOPERS and how this led to the discovery of this critical flaw. Of course we will also cover the technicalities and how the \"I'm in your cloud\" series concluded with being able to take over everyone's (Microsoft) cloud.", "description": "<!-- -->", "recording_license": "", "do_not_record": false, "persons": [{"code": "JLC3NX", "name": "Dirk-jan Mollema", "avatar": null, "biography": "Dirk-jan Mollema is a security researcher focusing on Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at DEF CON, Black Hat, TROOPERS, BlueHat and many other conferences, is a current Microsoft MVP and has been awarded as one of Microsoft\u2019s Most Valuable Researchers multiple times.", "public_name": "Dirk-jan Mollema", "guid": "57daa98d-9158-5822-811e-9ccdd074bf0c", "url": "https://cfp.troopers.de/tr26-cfp/speaker/JLC3NX/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/", "attachments": []}, {"guid": "66f191d6-1e85-55e0-bf10-78fe06c6ec1f", "code": "FPKKRA", "id": 350, "logo": null, "date": "2026-06-25T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-350-kds-root-keys-all-secrets-finally-revealed", "url": "https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/", "title": "KDS Root Keys: All Secrets Finally Revealed", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Key Distribution Service (KDS) Root Keys have been an integral part of Active Directory since Windows Server 2012. These cryptographic seeds are predominantly used to generate passwords of managed service accounts (gMSA and dMSA) but are also utilized by DPAPI-NG (also known as CNG DPAPI) to encrypt sensitive information using SID Protectors. Although researchers have previously published PoC implementations of the cryptographic algorithms used with KDS Root Keys, many scenarios have not yet been covered by research and tooling.\r\n\r\nIn this session, we will demonstrate online and offline attacks against virtually ALL use cases of KDS Root Keys, including:\r\n\r\n- Decryption of volumes with BitLocker SID Protector enabled.\r\n- Exporting RSA private keys from group-protected PFX files.\r\n- Extracting DNSSEC signing keys (ZSK and KSK) from Active Directory.\r\n- Revealing ASP.NET Core encrypted database connection strings.\r\n- Bulk export of LAPS and DSRM passwords from ntds.dit, LDAP, or DCSync.\r\n- Generating gMSA and dMSA passwords (Golden *MSA Attack)\r\n\r\nWe will also be presenting a newly discovered universal way of attacking DPAPI-NG in Windows,\r\nwhich allows us to decrypt any secrets encrypted using the SID protector, without requiring to develop application-specific decryptors.", "description": "After an Active Directory domain is fully compromised, malicious actors can steal KDS Root Keys using LDAP, DCSync, or ntds.dit. These keys can then be abused to unlock secrets that often go beyond the boundaries of AD.\r\nThe session will include demos of BitLocker SID protector exploitation, group\u2011protected PFX/RSA key export, DNSSEC ZSK/KSK extraction, ASP.NET Core database connection string recovery, bulk LAPS/DSRM password export, and gMSA/dMSA password generation. Although some of variations on these attacks are already known, there will definitely be a twist to it.", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZPYYRD", "name": "Michael Grafnetter", "avatar": null, "biography": "Michael is a Microsoft MVP and expert on Windows security and PowerShell. He is best known for inventing the Shadow Credentials attack primitive and creating the Directory Services Internals (DSInternals) PowerShell module.\r\nMichael enjoys sharing his knowledge during Active Directory security assessments, workshops, and tech talks. He presented his security research at many international conferences, including Black Hat, BSides, HipConf, or SecTor, and TROOPERS.", "public_name": "Michael Grafnetter", "guid": "b1adbf1b-3277-51fc-a105-690032d8effc", "url": "https://cfp.troopers.de/tr26-cfp/speaker/ZPYYRD/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/", "attachments": []}, {"guid": "3d7e9b45-3d59-55ec-96d0-3e17d84a3e67", "code": "HZHMKC", "id": 504, "logo": null, "date": "2026-06-25T12:00:00+02:00", "start": "12:00", "duration": "01:15", "room": "Track 2", "slug": "tr26-cfp-504-lunch-break-charity-auction", "url": "https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/", "title": "Lunch Break + Charity Auction", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/", "attachments": []}, {"guid": "71d12a44-fc68-527c-a022-06d3a7ccaf1f", "code": "3RETQ9", "id": 444, "logo": null, "date": "2026-06-25T13:15:00+02:00", "start": "13:15", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-444-popping-microsoft-s-sandbox-what-falls-out-of-a-dataverse-container", "url": "https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/", "title": "Popping Microsoft's Sandbox: What Falls Out of a Dataverse Container", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Microsoft Dataverse lets you deploy custom .NET plugins that run server-side in process-isolated Windows Server containers. We deployed one. Within minutes we had SYSTEM on the box, a full LSASS dump, NTLM hashes, DPAPI master keys, a production TLS private key for Microsoft's sandbox infrastructure, internal Microsoft tenant IDs, 52 other customers' organization GUIDs, and 46 proprietary Microsoft DLLs that were never meant to leave that container.\r\n\r\nBy decompiling those DLLs (nearly 14,000 C# source files), we reverse-engineered the gRPC protocol that the sandbox uses internally, discovered every method is unauthenticated, and built custom tooling to call them. That path eventually led us to explore cross-tenant code execution, though we'll be honest about what we could and couldn't prove there.\r\n\r\nThis talk is about what you can pull out of a cloud sandbox when the defaults are too permissive, and how a pile of exfiltrated DLLs turned into a much bigger problem than anyone expected.", "description": "1. The Plugin (5 min)\r\n  \u2022\tQuick primer on Dataverse Custom API plugins and how deployment works over the OData REST API.\r\n  \u2022\tOur EchoPlugin: a .NET assembly that runs commands via cmd.exe and returns output through the Dataverse API. Built and deployed using only documented platform features.\r\n  \u2022\tThe deployment tooling we wrote (MSAL device-code auth, strong name signing, automated registration). We plan to release this.\r\n  \u2022\tNo exploits involved. This is a standard Dataverse feature. You just need a license.\r\n\r\n2. SYSTEM in One Command (5 min)\r\n  \u2022\tWe land as ContainerAdministrator on Windows Server 2022 (Build 20348) with SeDebugPrivilege and SeImpersonatePrivilege.\r\n  \u2022\tSYSTEM via sc create with obj=LocalSystem. One command.\r\n  \u2022\tThis sets the stage for everything that follows. We now have full access to the container's memory, filesystem, and registry.\r\n\r\n3. What We Pulled Out (15 min)\r\n  \u2022\tThis is the core of the talk. Once you have SYSTEM on one of these containers, the amount of sensitive material you can grab is alarming.\r\n  \u2022\tLSASS dump via ProcDump, which Microsoft helpfully left in the container. From that: the local Administrator NTLM hash, 28 DPAPI master keys, the boot key, LSA secrets, cached credential decryption keys.\r\n  \u2022\tRegistry hive export (SAM, SECURITY, SYSTEM). Exfiltrated via certutil base64 encoding through the API.\r\n  \u2022\tFull SandboxWorker process memory dump (349 MB). Inside we found: a production RSA 2048-bit TLS private key for wus107.prd.sbx.dynamics.com (confirmed matching via OpenSSL), 52 co-located customer organization GUIDs, 4 internal Microsoft tenant IDs, cluster names and internal endpoint URIs.\r\n  \u2022\tEnvironment variables from the worker process: auth nonces, Azure app and tenant IDs, sidecar host addresses, internal service configuration.\r\n  \u2022\t46 proprietary Microsoft DLLs totaling 30 MB. These include the identity model libraries (Microsoft.IdentityModel.S2S and friends), the SidecarContract library with full gRPC protobuf definitions, the SandboxWorker binary itself, and various CRM runtime components. We decompiled all of them: 13,889 C# source files.\r\n  \u2022\t400 MB+ exfiltrated to our own Azure Blob Storage. Azure-to-Azure, same region, took seconds. No DLP, no alerts.\r\n\r\n\r\n4. From DLLs to gRPC (10 min)\r\n  \u2022\tThe SidecarContract DLLs contained the full protobuf definitions for the gRPC protocol between SandboxWorker and a host-side sidecar process. This was the key find in the DLL haul.\r\n  \u2022\tWe built custom Go gRPC clients using those definitions to call every sidecar method. There are 20+ across 3 services. None of them require authentication.\r\n  \u2022\tRead methods: GetEnvironmentVariables (worker nonces, internal tenant IDs), GetWorkerAssignedMetadata (co-located org GUIDs), GetOpenIdSigningKeys (full JWKS with 5 RSA keys and cert chains), GetClusterEnvironmentSettings, GetServiceParameters.\r\n  \u2022\tWrite methods: ReportWorkerBusy (DoS for all tenants on the container), SendCrashEvent (inject fake telemetry), SetNamingServiceProperty (modify Service Fabric naming), ProcessPortProxyRequest (create network routes to arbitrary IPs, including 169.254.169.254).\r\n  \u2022\tWe produced an OpenAPI spec documenting 27 methods across 3 services. We'll walk through the interesting ones live.\r\n\r\n5. Cross-Tenant Execution (7 min)\r\n  \u2022\tThe unauthenticated sidecar, combined with org identity stored in patchable process memory, opens a path to cross-tenant code execution: steal the worker nonce, patch the org GUID in memory, send a crafted Execute request with a target org ID and your own .NET assembly.\r\n  \u2022\tWe got context.OrganizationId to return another customer's GUID. On one container we intercepted their SDK callbacks (RetrieveMultiple for systemuser, businessunit, solution tables).\r\n  \u2022\tTo be upfront: we proved the execution context switches, but we did not achieve full data exfiltration from a victim tenant. The bidirectional callback protocol needs more work. So this is real, and it's scary, but we're not going to oversell it.\r\n\r\n6. What Held and What Didn't (3 min)\r\n  \u2022\tCredit where it's due. Microsoft blocked IMDS, filtered cross-container networking, stubbed device IOCTLs, sandboxed driver loading (returns success but never executes), no host filesystem, no Docker socket.\r\n  \u2022\tWhat failed: no auth on the sidecar, no network isolation between plugin code and infrastructure services, privileged container defaults, wide-open outbound internet, ProcDump sitting in the container, org identity in patchable memory.\r\n\r\n7. Takeaways (5 min)\r\n  \u2022\tWhat this means if you're running Dataverse plugins or Power Platform in your environment.\r\n  \u2022\tThe pattern here (over-privileged sandbox, unauthenticated internal services, identity in patchable memory) is not unique to Dataverse. How to audit for it in other multi-tenant platforms.\r\n  \u2022\tDisclosure timeline and Microsoft's response.", "recording_license": "", "do_not_record": false, "persons": [{"code": "E7PMY8", "name": "Simon Maxwell-Stewart", "avatar": null, "biography": "Simon is a Staff Security Researcher at BeyondTrust's Phantom Labs. Before getting into security he spent over a decade doing data science and machine learning, with a physics degree from Oxford and production ML work in healthcare. These days he's the resident graph nerd on the Phantom Labs team, applying graph analysis to identity security problems in Microsoft cloud environments. His recent research focuses on Entra ID attack paths and Azure infrastructure security.", "public_name": "Simon Maxwell-Stewart", "guid": "d9219936-4b90-5587-8847-f2a8df27aa03", "url": "https://cfp.troopers.de/tr26-cfp/speaker/E7PMY8/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/", "attachments": []}, {"guid": "c41068b4-bb68-56f7-be81-89c16cffab4f", "code": "YFRZ9U", "id": 348, "logo": null, "date": "2026-06-25T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-348-jingle-thief-cloud-identity-tradecraft-in-microsoft-365-and-entra-id", "url": "https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/", "title": "Jingle Thief: Cloud Identity Tradecraft in Microsoft 365 and Entra ID", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Jingle Thief is a financially motivated campaign that operated almost entirely within Microsoft 365 tenants. After credential theft via phishing and smishing, the threat actors conducted cloud reconnaissance across SharePoint and OneDrive, expanded compromise through internal phishing, manipulated mailbox rules, and established persistence via device registration and authentication method changes in Entra ID.\r\n\r\nThis session analyzes Jingle Thief as a cloud identity intrusion model rather than a traditional fraud case study. We will examine how native Microsoft 365 and Entra ID functionality was abused to scale compromise, sustain long-term access, and evade detection. The talk concludes with practical detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID telemetry.", "description": "The Jingle Thief campaign represents a modern evolution in financially motivated threat activity: a cloud-first intrusion model operating almost exclusively within Microsoft 365 and Entra ID.\r\n\r\nInitial access was achieved through phishing and smishing campaigns targeting Microsoft 365 credentials. Once inside a tenant, the actors immediately shifted to cloud-based reconnaissance, mining SharePoint and OneDrive for internal documentation related to gift card issuance processes and operational workflows.\r\n\r\nUsing compromised internal accounts, the actors conducted additional phishing to expand access across the organization. Mailbox rules and forwarding settings were configured to maintain operational awareness, while phishing artifacts were moved to Deleted Items to reduce visibility.\r\n\r\nPersistence was established through device registration within the tenant and modification of authentication methods in Entra ID, enabling sustained access even as credentials were reset. In one observed case, the intrusion persisted for approximately ten months and involved more than sixty compromised accounts.\r\n\r\nThis talk focuses on the identity-layer mechanics of the campaign and examines:\r\n\t\u2022\tThe Microsoft 365 and Entra ID attack lifecycle observed in victim tenants\r\n\t\u2022\tAbuse of collaboration platforms for reconnaissance and operational scaling\r\n\t\u2022\tMailbox rule manipulation and internal phishing tradecraft\r\n\t\u2022\tDevice registration and authentication method modification as persistence mechanisms\r\n\t\u2022\tInvestigation challenges unique to cloud-only intrusions\r\n\t\u2022\tDetection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID logs\r\n\r\nRather than presenting a traditional fraud narrative, this session reframes Jingle Thief as a cloud identity tradecraft model and discusses what defenders must instrument and monitor to detect similar activity.", "recording_license": "", "do_not_record": false, "persons": [{"code": "Q7NYZE", "name": "Stav Setty", "avatar": null, "biography": "Stav Setty is a Principal Security Researcher on the ITDR team at Palo Alto Networks. Her work focuses on identity-centric intrusion analysis across cloud and enterprise environments and translating real-world tradecraft into actionable detection guidance", "public_name": "Stav Setty", "guid": "a9be3954-df31-5da4-9219-be981b39d62f", "url": "https://cfp.troopers.de/tr26-cfp/speaker/Q7NYZE/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/", "attachments": []}, {"guid": "b27ca2d2-e2e1-5c4f-89d2-3a2d0c738f13", "code": "YNWFTG", "id": 497, "logo": null, "date": "2026-06-25T15:15:00+02:00", "start": "15:15", "duration": "00:30", "room": "Track 2", "slug": "tr26-cfp-497-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/", "title": "Coffee Break", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/", "attachments": []}, {"guid": "31b1d19d-6c20-5c7f-a0ef-a3190c4acc46", "code": "N8JZBT", "id": 387, "logo": null, "date": "2026-06-25T15:45:00+02:00", "start": "15:45", "duration": "01:00", "room": "Track 2", "slug": "tr26-cfp-387-modern-adventures-in-azure-privilege-escalation", "url": "https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/", "title": "Modern Adventures in Azure Privilege Escalation", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "The increase in hybrid cloud adoption over the last decade has extended traditional Active Directory domain environments into the Azure (and Entra ID) cloud. During that time, penetration tests and red team assessments have also been bringing Azure tenants into engagement scopes. Less experienced testers are often finding themselves with an initial foothold in Azure, but lacking in experience on what an escalation path would look like. This talk will cover all the steps along the way from initial access through persistence. \r\nAttendees should walk away with some new techniques, along with a handful of potential escalation paths for furthering access in an Azure tenant. In addition to this, we will cover some techniques for maintaining privileged access after an initial escalation. Finally, we will be introducing a new resource for identifying attack paths for specific Azure services.", "description": "Starting off with some basics, attendees will get a brief lesson on the fundamental concepts that support Azure tenants. Building on that foundation, we will explain what privilege escalation looks like in Azure, as compared to a traditional on-prem environment. Often in the cloud, there can be a blending of concepts that result in escalation, lateral movement, and persistence. With all of these in mind, we will then go over the escalation and lateral movement options for multiple Azure resource types. These will be focused on the permissions a user may have available, and how those permissions can be abused. We will also cover escalations from the Entra ID side and explain why that's fundamentally different from the Azure resource level escalations. Finally, we will wrap things up with a few persistence concepts in Azure and provide some resources to help with escalations.", "recording_license": "", "do_not_record": false, "persons": [{"code": "H7ZLD8", "name": "Karl Fosaaen", "avatar": null, "biography": "As a VP of Research, Karl is part of a team developing new services and product offerings at NetSPI. Karl previously oversaw the Cloud Penetration Testing service lines at NetSPI and is one of the founding members of NetSPI's Portland, OR team. Karl has a Bachelors of Computer Science from the University of Minnesota and has been in the security consulting industry for over 15 years. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book \"Penetration Testing Azure for Ethical Hackers\" with David Okeyode.", "public_name": "Karl Fosaaen", "guid": "099ef942-94fd-5bc9-8b1c-51cd3b49be85", "url": "https://cfp.troopers.de/tr26-cfp/speaker/H7ZLD8/"}, {"code": "RAATFU", "name": "Thomas Elling", "avatar": null, "biography": "Thomas Elling is the Director of Azure/Entra ID Cloud Pentesting and a security researcher at NetSPI. He specializes in web application and cloud security testing. He has advised multiple Fortune 500 companies in the technology sector. In his spare time, Thomas enjoys improving his coding skills, watching bad action movies, and hanging out with his dog, Chunks.", "public_name": "Thomas Elling", "guid": "161974fe-f3ef-5afc-9374-b779a81ef45e", "url": "https://cfp.troopers.de/tr26-cfp/speaker/RAATFU/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/", "attachments": []}], "Track 3": [{"guid": "11876f24-950d-5932-b016-e72751aa821e", "code": "FZ7LBK", "id": 428, "logo": null, "date": "2026-06-25T10:00:00+02:00", "start": "10:00", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-428-unshelling-vshell-at-scale", "url": "https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/", "title": "Unshelling VShell at Scale", "subtitle": "", "track": "Defense & Management", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "VShell is a backdoor written in Golang that is shared across multiple threat actors. It is used widely by intrusion groups, particularly China-nexus actors such as UNC5174. We carried out an in-depth investigation of VShell C2 servers and found that a broad range of information can be obtained from them at scale. For example, by sending a specific magic packet to a VShell C2 server, it is possible to retrieve the raw stageless binary in unobfuscated form. This stageless binary contains hard-coded config data, including the \"vkey\". We performed an internet-wide scan for publicly exposed VShell C2 servers, collected stageless binaries, analysed their config data, and explored clustering and attribution.\r\n\r\nIn this presentation, we first explain what kind of malware VShell is, including its relationship with SNOWLIGHT, and present the results of our detailed malware analysis together with representative cases of abuse. We then describe the structure of the VShell C2 server and show how it communicates with VShell. We also share the contents of the magic packet used to obtain the stageless binary, the results of our detailed analysis of the binary itself, the configuration data embedded in it, and the findings from our analysis of the large volume of config data we collected. In addition, we present deeper analytical results based on information obtained from C2 servers that were operated with default settings. Finally, we propose detection logic for network and endpoint security products to help defend against compromises involving VShell. This logic reflects the detailed internal behaviour of VShell C2 infrastructure revealed by our research.\r\n\r\nThrough this talk, attendees will gain a detailed understanding of VShell\u2019s capabilities and the characteristics of its C2 servers. They will also learn a research method for uncovering new information useful for attribution. In addition, these findings can be applied directly to defensive practice, including the development of more effective detection logic.", "description": "At the start of the talk, we outline what kind of malware VShell is. VShell is a backdoor written in Golang. It was at one point publicly available on GitHub, which helped it become a shared tool used by a wide range of attackers. It is particularly favoured by China-nexus threat groups. We also briefly introduce the groups known to use VShell and present representative examples of their attack workflows. In particular, we focus on recent cases involving UNC5174 and UNC6586.\r\n\r\nWe then examine the VShell C2 server. We obtained the VShell builder and C2 server binaries and conducted a detailed analysis. Using concrete examples from our data, we explain how VShell payloads are generated by the builder and how they communicate with the C2 server. This gives the audience an accurate view of how VShell operates.\r\n\r\nOur investigation of VShell C2 servers also revealed previously unknown findings. For example, when a specific magic packet is sent to a VShell C2 server, it is possible to retrieve a stageless VShell binary. This stageless binary contains config data, including the \"vkey\", and that data is not obfuscated, making it straightforward to extract. We used this behaviour to scan the internet at scale, identify VShell C2 servers, retrieve stageless binaries from them, and extract a large volume of config data. Based on the collected config data, we performed clustering and attribution analysis of threat actors using VShell, and we present the results. Some of the stageless binaries we collected had characteristics that differed from the commonly available VShell. We will also show these differences.\r\n\r\nIn addition, C2 servers running with default settings can expose even more information. This includes data on victim hosts connected to the server. We analysed these data and carried out further in-depth research. We also present the results of that analysis.\r\n\r\nFinally, we discuss defensive measures for protecting organisations against VShell-related attacks. Based on our detailed analysis of these C2 servers, we developed improved detection logic that goes beyond what has previously been available. We present detection logic designed for both network security products and endpoint security products.\r\n\r\nThrough this talk, the audience will gain a detailed understanding of VShell's capabilities and the characteristics of its C2 servers. They will also learn research methods for uncovering new information that supports attribution. In addition, they will see how these research findings can be applied in practice, including the development of more effective detection logic and other concrete defensive measures.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GKRYPE", "name": "Kazuya Nomura", "avatar": null, "biography": "Kazuya Nomura is a security analyst at NTT Security (Japan) KK. Currently, his main duty is responding to IDS/IPS/EDR log detection and threat research. He also interested in malware analysis and data visualization. He posted articles about both in NTT Security. He has spoken at CODE BLUE, JSAC, HITCON and AVAR in the past.", "public_name": "Kazuya Nomura", "guid": "552d7bd6-8605-5b10-a73e-07ef8edc6a67", "url": "https://cfp.troopers.de/tr26-cfp/speaker/GKRYPE/"}, {"code": "JZJCPZ", "name": "Rintaro Koike", "avatar": null, "biography": "Rintaro Koike is a security researcher at NTT Security (Japan) KK. He is engaged in threat research and malware analysis. In addition, he is the founder of \"nao_sec\" and is in charge of threat research. He focuses on APT attacks targeting East Asia and web-based attacks. He has given over 30 presentations at over 10 international conferences, such as VB, Botconf, FIRST, AVAR and others.", "public_name": "Rintaro Koike", "guid": "2237e910-72aa-56a6-a7f8-0a47f52a414b", "url": "https://cfp.troopers.de/tr26-cfp/speaker/JZJCPZ/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/", "attachments": []}, {"guid": "46dbef58-390d-50f6-9878-6f48ad473657", "code": "UR9JPA", "id": 291, "logo": null, "date": "2026-06-25T11:00:00+02:00", "start": "11:00", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-291-living-off-the-pipeline-defensive-research-weaponized", "url": "https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/", "title": "Living Off The Pipeline: Defensive Research, Weaponized", "subtitle": "", "track": "Attack & Research", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "We created \"Living Off The Pipeline\" (LOLBAS for CI/CD) and a 0-day vuln scanner, then we saw Threat Actors on BreachForums were paying attention. Enter the \"Metasploit for CI/CD.\" In this live kill-chain, we exploit \"pwn requests\" to pivot from a public GitHub repo to private repos. We show how anonymous users gain \"insider\" privileges to exfiltrate secrets, poison releases, and escalate to Cloud Admin.", "description": "For years, our research team wrote the defensive manuals. We built the \"Living Off The Pipeline\" (LOTP) inventory and released `poutine` (our open-source vulnerability scanner) to help defenders find the holes. But we have bad news: Threat Actors were taking notes.\r\nIn early 2025, we found the \"smoking gun\" on BreachForums: a full attack plan for a 0-day compromise giving a direct shout-out to our defensive research as the source. Our work had become their offensive playbook.\r\n\r\nIn this talk, we stop playing defense. We introduce **SmokedMeat**, the \"Metasploit for CI/CD.\"\r\n\r\nOur research shows that 2025's Build Pipelines look like the average 2005 PHP Web App in terms of secure coding, wide open to \"pwn requests\" and command injections. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you.\r\n\r\nWe will demonstrate a full exploitation chain:\r\n\r\n1. **Reconnaissance:** Pivoting from unprivileged anonymous access on public repositories using `poutine` to find the weak spots.\r\n2. **Exploitation:** Stealing private repository secrets and intellectual property via automated \"pwn requests\".\r\n3. **Persistence:** The \"gone in 60 seconds\" jump from an ephemeral workflow runner directly to permanent Cloud Admin, implanting backdoors on build infrastructure.\r\n\r\nThe era of simple \"awareness\" is over. This talk demonstrates why your current CI/CD security strategy is already obsolete.", "recording_license": "", "do_not_record": false, "persons": [{"code": "88GEUK", "name": "Fran\u00e7ois Proulx", "avatar": null, "biography": "Fran\u00e7ois Proulx is the VP of Security Research at BoostSecurity.io and the co-creator of the `poutine` Open Source CI/CD scanner. He co-founded the \"Living Off The Pipeline\" (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.", "public_name": "Fran\u00e7ois Proulx", "guid": "7b526d11-0cc1-5aa6-83fc-5d0107b67517", "url": "https://cfp.troopers.de/tr26-cfp/speaker/88GEUK/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/", "attachments": []}, {"guid": "30e8028b-a2cb-5efa-a92d-97d27154f552", "code": "9SH8LT", "id": 501, "logo": null, "date": "2026-06-25T12:00:00+02:00", "start": "12:00", "duration": "01:15", "room": "Track 3", "slug": "tr26-cfp-501-lunch-break-charity-auction", "url": "https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/", "title": "Lunch Break + Charity Auction", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "Lunch Break", "description": "Lunch Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/", "attachments": []}, {"guid": "2f70e027-440c-51fb-938d-cbc9617c0e98", "code": "TPGLJU", "id": 447, "logo": null, "date": "2026-06-25T13:15:00+02:00", "start": "13:15", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-447-from-code-to-coverage-a-detection-engineer-s-journey-through-the-ldap-wilderness", "url": "https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/", "title": "From Code to Coverage: A Detection Engineer's Journey Through the LDAP Wilderness", "subtitle": "", "track": "Defense & Management", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Active Directory reconnaissance tools like BloodHound, Impacket, and SOAPHound are the attacker's first move in enterprise compromises, yet detecting their LDAP queries remains one of the hardest problems in security operations. This talk chronicles a six month journey from writing my first broken Sigma rule to building a complete, evasion resistant LDAP detection stack.\r\n\r\nYou'll learn why traditional signature based detection fails spectacularly, how to think like both an attacker and a parser, and how mathematical approaches can outsmart evasion techniques. We'll cover OID transformations that break your rules, whitespace variations that mock your regex, hidden LDAP parameters that bypass your detections, and ultimately, statistical methods that make evasion mathematically impossible.\r\n\r\nThis isn't theory. Every technique is battle tested in production environments with working Sigma rules, real attack logs, and actual false positive rates. Leave with detection rules and techniques you can deploy Monday morning.", "description": "BloodHound, Impacket, SOAPHound. Every red teamer's starting point, every blue teamer's blind spot. LDAP reconnaissance is how attackers learn your environment before you know they're there, and most detections for it are embarrassingly easy to bypass.\r\nThis talk started as a failure. A Sigma rule that looked right, passed review, and caught nothing in production. Six months later, it turned into a complete LDAP detection stack that's caught tools the vendor community hadn't even documented yet.\r\nWe'll get into the specific mechanics of why detections break. OID transformations that silently invalidate your rules, whitespace variations that make regex useless, SDFlags queries that walk straight past ACL monitoring. Then we'll flip the problem. Instead of chasing attacker syntax, we'll use Event 1644's performance fields to detect enumeration behavior statistically, something no amount of query obfuscation can hide. We'll also cover ADWS correlation for catching PowerShell-based recon that never touches LDAP at all.\r\nEverything here is running in production. You'll get real false positive rates, real tuning decisions, and Sigma rules and detection techniques you can actually use.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8PMVYT", "name": "Andrew S.", "avatar": null, "biography": "Andrew Schwartz is a Principal Detection Engineer at Huntress. Energetic and driven, Andrew brings strong technical knowledge and experience in defensive and offensive security, vulnerability management, and the development of transformational strategies that help organizations enhance their security postures to detect and stop adversaries before they succeed.\r\nAndrew has published extensively on Active Directory security, with a particular focus on Kerberos and DACL based attack detection. He is the co-author of the Kerberos Diamond Ticket attack.\r\n\r\nWhen Andrew's not building detections or researching new attack techniques, Andrew enjoys chess, cheering on Tottenham Hotspur, and crafting the perfect old fashioned or boulevardier.", "public_name": "Andrew S.", "guid": "c6fd383c-0c94-560f-8323-e419d400caa3", "url": "https://cfp.troopers.de/tr26-cfp/speaker/8PMVYT/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/", "attachments": []}, {"guid": "8a5ebb02-ff53-5e54-a4a3-c7977abdfd1c", "code": "BGTTKQ", "id": 427, "logo": null, "date": "2026-06-25T14:15:00+02:00", "start": "14:15", "duration": "01:00", "room": "Track 3", "slug": "tr26-cfp-427-delete-is-easy-recovery-is-not-the-reality-of-entra-id-backup-restore", "url": "https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/", "title": "Delete Is Easy \u2013 Recovery Is Not: The Reality of Entra ID Backup & Restore", "subtitle": "", "track": "Active Directory & Entra ID Security", "type": "Talk (50 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Backup and restore have always been fundamental principles of IT, yet in Microsoft Entra ID they are often misunderstood, underestimated, or simply ignored.\r\n\r\nWhat happens when a Conditional Access policy is modified and you suddenly need last week\u2019s configuration?\r\nWhat can actually be restored in Entra ID and what is permanently lost?\r\n\r\nIn this session, we dive into deletion and recovery behavior across different Entra resource types, from identities and groups to Conditional Access policies and tenant-wide configurations. We separate myths from reality and clarify where restoration is technically possible and where it simply isn\u2019t.\r\n\r\nA key focus is on recent changes and new capabilities in Entra ID, including improvements around deletion and recovery as well as the Unified Tenant Configuration Management (UTCM) capability introduced in early 2026. We explore how UTCM enables administrators to track, compare, and safeguard tenant-wide configurations shifting the approach from reactive recovery to proactive control.\r\n\r\nThe goal is simple: to replace assumptions with facts and help you build a realistic protection strategy for your Entra ID environment without relying solely on third-party backup solutions.", "description": "This session is aimed at identity and security professionals working with Microsoft Entra ID who want to understand the real limitations of backup and recovery in cloud identity environments.\r\n\r\nAttendees will gain a clear understanding of how deletion and recovery behave across different Entra resource types, including users, groups, Conditional Access policies, and tenant-wide configurations. The session highlights where recovery is possible, where it is limited, and where it is not available at all.\r\n\r\nIn addition, we explore recent platform changes and new capabilities such as Unified Tenant Configuration Management (UTCM), and how these features shift the focus from reactive recovery to proactive configuration governance.\r\n\r\nThe session combines architectural insights with practical examples and multiple live demonstrations, showing real-world behavior directly in Entra ID. Attendees will see how changes, deletions, and recovery scenarios actually behave in practice, rather than relying on documentation alone.\r\n\r\nAttendees will leave with a realistic understanding of Entra ID protection strategies and actionable guidance for improving resilience without relying solely on third-party backup solutions.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WJEGYW", "name": "Klaus Bierschenk", "avatar": null, "biography": "Klaus is a Microsoft Security MVP and works as a Technology Consultant at CGI Germany. He focuses on hybrid Microsoft technologies, with a particular emphasis on Microsoft Active Directory and Microsoft Entra ID. Driven by a strong passion for Microsoft solutions, he supports IT operators in tackling complex challenges related to modern infrastructure and identity scenarios. Klaus is a speaker at international conferences and actively contributes to the Microsoft Identity community. He also shares his knowledge through his technical blog https://nothingbutcloud.net and various professional publications.", "public_name": "Klaus Bierschenk", "guid": "75bc2d88-e0d4-55e8-a17d-6b6ed8e578f1", "url": "https://cfp.troopers.de/tr26-cfp/speaker/WJEGYW/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/", "attachments": []}, {"guid": "f4848014-2c67-5131-8029-074e8a298c27", "code": "3UUGNV", "id": 494, "logo": null, "date": "2026-06-25T15:15:00+02:00", "start": "15:15", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-494-coffee-break", "url": "https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/", "title": "Coffee Break", "subtitle": "", "track": "Defense & Management", "type": "Special", "language": "en", "abstract": "Coffee Break", "description": "Coffee Break", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/", "attachments": []}, {"guid": "cf56017f-ca4b-5c4e-84e9-8bcc72cdcb95", "code": "M7QTN7", "id": 353, "logo": null, "date": "2026-06-25T15:45:00+02:00", "start": "15:45", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-353-integrating-incident-analysis-and-digital-forensics-tooling-for-automated-compromise-detection", "url": "https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/", "title": "Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection", "subtitle": "", "track": "Defense & Management", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Due to the increasing number and impact of computer security incidents, it has become essential to develop and implement efficient measures for their investigation. However, comprehensive forensic analyses are time-consuming, and this time is often not available to security analysts during acute computer security incidents. As a result, automated tools are increasingly being used. These tools, however, often cover only a limited scope of the necessary analyses and typically require deep technical expertise to be used effectively. For this reasons, we developed a framework that enables the automated analysis of disk images in the context of security incidents and is capable of identifying whether a system has been compromised. The framework orchestrates multiple established digital forensics and incident analysis tools through a decision-tree-based control logic. This decision tree governs the execution flow of integrated modules, each representing a distinct analytical domain (e.g., file system analysis, artifact extraction, event log inspection). A live demonstration illustrates how analysts interact with the system, which external analysis tools are integrated, and how the framework consolidates results into a structured, analyst-oriented report. The framework was evaluated using both compromised and non-compromised disk images derived from real-world and synthetic computer security incidents. The evaluation assesses detection capabilities, practical benefits for analysts, and current limitations.", "description": "This talk addresses the growing need for efficient incident analysis in response to the increasing number and impact of computer security incidents. While automation is essential to reduce investigation time, existing tools in digital forensics and incident analysis often operate in isolation and lack comprehensive orchestration. We present a modular framework that integrates established forensic and analysis tools using a decision-tree-based control mechanism. The talk includes a live demonstration of the framework, an overview of its architecture, and an explanation of how it detects compromised disk images. Finally, we discuss current limitations and outline future extensions of the framework.", "recording_license": "", "do_not_record": false, "persons": [{"code": "HTA8GF", "name": "Ann-Marie Belz", "avatar": null, "biography": "Ann-Marie Belz holds a Bachelor's and Master's degree in Medical Informatics, where she developed a interdisciplinary perspective combining IT, medicine, and security technologies. During her studies, she began working in IT security and has been an IT security consultant at ERNW Research GmbH since 2025. Her work primarily focuses on penetration testing, including the security assessment of medical devices. In addition, she is involved in incident analysis and digital forensics, where she helps investigate computer security incidents.", "public_name": "Ann-Marie Belz", "guid": "497d3c03-7fd6-5049-917f-e287468c6d28", "url": "https://cfp.troopers.de/tr26-cfp/speaker/HTA8GF/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/", "attachments": []}, {"guid": "5704323b-e123-52fb-8cd6-7f57bb9a57fa", "code": "ZJPKLN", "id": 296, "logo": null, "date": "2026-06-25T16:15:00+02:00", "start": "16:15", "duration": "00:30", "room": "Track 3", "slug": "tr26-cfp-296-the-edge-of-tomorrow-today-s-devices-tomorrow-s-incidents", "url": "https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/", "title": "The Edge of Tomorrow: Today's Devices, Tomorrow's Incidents", "subtitle": "", "track": "Defense & Management", "type": "Lightning Talk (20 minutes talk / 10 minutes Q&A)", "language": "en", "abstract": "Edge devices sit on the Internet-facing border of every organisation, silently bridging trust zones while running full Linux distributions that rarely see a reboot, let alone a patch. Because they are \u201cjust network kit,\u201d they are exempted from EDR, and excluded from MDM, making them the perfect beachhead for an attacker who wants to pivot into a company's network without triggering a single alert.", "description": "This talk will examine various aspects of edge-device compromises. We will share real-world findings and experiences from responding to an edge-device compromise, highlighting the challenges, lessons learned, and best practices for forensic analysis and incident response. We will also explore detection opportunities and recommendations for improving monitoring and response capabilities.\r\n\r\nAttendees will leave with actionable incident-response tactics and detection-engineering clues for spotting and stopping similar intrusions.", "recording_license": "", "do_not_record": true, "persons": [{"code": "Q7D9WG", "name": "Mathieu LE CLEACH", "avatar": null, "biography": "Mathieu is a Principal Incident Responder at CERT-EU. He has solid experience in responding to high-profile incidents involving Advanced Persistent Threats (APTs) and cyber espionage. In addition to his incident response duties, he leads the detection engineering effort, leveraging his technical expertise to identify and mitigate previously uncovered threats. Mathieu was a speaker at the 36th Annual FIRST Conference in Fukuoka, Japan and at the Hack.lu 2024.", "public_name": "Mathieu LE CLEACH", "guid": "468ba8fb-4a99-5970-be8d-e2bc1d6a3bab", "url": "https://cfp.troopers.de/tr26-cfp/speaker/Q7D9WG/"}, {"code": "MCDFEM", "name": "Mael Pignol", "avatar": null, "biography": "Ma\u00ebl is a security engineer, currently serving as Principal Incident Responder at CERT-EU. He has solid experience in responding to high-profile incidents involving Advanced Persistent Threats (APTs) and cyber espionage. In addition to his incident response duties, he leads the threat hunting effort, leveraging his technical expertise to identify and mitigate previously uncovered threats. Mael is also a key contributor to the detection engineering team, driving the development of innovative solutions to enhance threat detection capabilities. Mael was a speaker at the Underground Economy Conference 2025 in Strasbourg, France and at the State of Statecraft 2025 Conference in Brussels, Belgium.", "public_name": "Mael Pignol", "guid": "eb0ea403-9a8a-5638-970b-94eada4ee07f", "url": "https://cfp.troopers.de/tr26-cfp/speaker/MCDFEM/"}], "links": [], "feedback_url": "https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/feedback/", "origin_url": "https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/", "attachments": []}]}}]}}}