2.0 -//Pentabarf//Schedule//EN PUBLISH RNDCKA@@cfp.troopers.de -RNDCKA Keynote en en 20260624T090000 20260624T103000 1.03000

Keynote

<!-- --> PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/ Track 1 PUBLISH BYBLQL@@cfp.troopers.de -BYBLQL Coffee Break en en 20260624T103000 20260624T110000 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/ Track 1 PUBLISH WXKS38@@cfp.troopers.de -WXKS38 Agentic Chaos: Weaponizing Autonomous AI en en 20260624T110000 20260624T120000 1.00000

Agentic Chaos: Weaponizing Autonomous AI

The Problem: The Middleware Gap Security teams currently focus on "Prompt Injection" (content safety), ignoring the far greater risk: the "Middleware Gap" where non-deterministic LLMs interface with rigid REST APIs. In this session, we prove that Agentic Frameworks (like LangChain or Semantic Kernel) often lack the strict schema enforcement required to protect legacy backends. Vector 1: The Integrity Hack (Agentic Mass Assignment) We demonstrate how an Agent can be manipulated to function as an "Intelligent Fuzzer." Mechanism: By reversing the prompt templates used for tool execution, we show how to force the LLM to "invent" JSON fields based on common developer conventions. The Vulnerability: We exploit the disconnect between the Frontend Schema (OpenAPI) and the Backend Database Models (ORM). We show how the hallucinated parameters pass through the Agent and are blindly accepted by backends vulnerable to Mass Assignment. Impact: Privilege escalation and data corruption without direct database access. Demo: A live walkthrough of bypassing a Corporate Expense Approval flow by injecting a hidden override parameter via natural language. Vector 2: The Availability Hack (Cognitive DoS) We introduce the concept of "Economic Asymmetry" in AI attacks. Mechanism: We use Generative Style Injection (GSI) to poison the agent's context with pathological reasoning styles (e.g., recursive bureaucracy). The Vulnerability: Semantic loops consume tokens at every step. We show that rate limits based on "requests per second" fail to catch a single session that enters a self-sustaining "Cognitive Deadlock." Impact: Rapid depletion of API quotas and cloud budgets ("Denial of Wallet"). Demo: Triggering a negotiation loop between autonomous agents that consumes the entire monthly budget in minutes. Solution & Tooling: We conclude with defense. We will release Agent-Fuzz (a scanner for schema hallucination) and discuss architectural patterns for "Zero-Trust Schema Validation" at the API Gateway level. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/WXKS38/ Track 1 Alon Friedman PUBLISH CLLDDN@@cfp.troopers.de -CLLDDN Confused Recovery: A New Attack Class on Windows Recovery en en 20260624T120000 20260624T130000 1.00000

Confused Recovery: A New Attack Class on Windows Recovery

&nbsp; PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/ Track 1 Alon Leviev PUBLISH WXYKHJ@@cfp.troopers.de -WXYKHJ Lunch Break en en 20260624T130000 20260624T141500 1.01500

Lunch Break

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/ Track 1 PUBLISH ABQT8K@@cfp.troopers.de -ABQT8K Backbones under attack: software vulnerabilities in core routers en en 20260624T141500 20260624T151500 1.00000

Backbones under attack: software vulnerabilities in core routers

In this talk I will review the evolution of router malware and then present original research showing a practical attack path to persistent backdoors on modern backbone platforms by abusing virtualization features and two distinct privilege escalation vulnerabilities I discovered that enable installation of such persistent implants. To avoid creating a roadmap for abuse, this presentation focuses on impact, architecture, detection opportunities and robust mitigations rather than exploit code or step‑by‑step instructions. I will close with responsible-disclosure outcomes and a prioritized mitigation checklist for network operators and vendors. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/ Track 1 Pierre Emeriaud PUBLISH FYSNJ7@@cfp.troopers.de -FYSNJ7 Coming soon :) en en 20260624T151500 20260624T161500 1.00000

Coming soon :)

<!-- --> PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/ Track 1 PUBLISH UUKQNN@@cfp.troopers.de -UUKQNN Coffee Break en en 20260624T161500 20260624T164500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/ Track 1 PUBLISH DAARST@@cfp.troopers.de -DAARST Priceless: Hacking Electronic Shelf Labels​ en en 20260624T164500 20260624T174500 1.00000

Priceless: Hacking Electronic Shelf Labels​

In recent years, more and more convenience stores have upgraded their infrastructure by going digital and they will continue to do so. This includes introducing ESL tags, which enable dynamic pricing based on demand and reduce labor costs. Depending on their size and budget, stores can choose from two major types of ESL tags that either use BLE or work on other radio frequencies. The former requires only a smartphone to interact with, while the latter relies on an infrastructure of access points and a central management system. In this talk, we will take you on a journey through the last couple of months of reverse engineering products from two different manufacturers. Throughout this process, we analyzed two different BLE ESL tags and one ESL tag that works with an access point. We successfully performed attacks such as battery drainage and arbitrary writes, which led to denial-of-service and achieved complete takeover of the management system that controls products and templates. The possibilities were endless. We identified systematic vulnerabilities in multiple ESL products and propose a general mitigation strategy for the manufacturers. When sharing our findings with the manufacturers we have been unable to get their ear leaving these issues unpatched and up to the store owners to mitigate. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/DAARST/ Track 1 Marius Karstedt PUBLISH STKZXP@@cfp.troopers.de -STKZXP ETA when? Reporting on cybercrime en en 20260624T174500 20260624T181500 0.03000

ETA when? Reporting on cybercrime

&nbsp; PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/STKZXP/ Track 1 Hakan PUBLISH YZQMBB@@cfp.troopers.de -YZQMBB Sanctions Evasion 2.0: OSINT Methodologies for Unmasking the Iranian Regime’s Financial Evolution en en 20260624T181500 20260624T184500 0.03000

Sanctions Evasion 2.0: OSINT Methodologies for Unmasking the Iranian Regime’s Financial Evolution

I. The 2.0 Threat Architecture (3 mins) The "Laundering 1.0" Baseline: A rapid retrospective of legacy evasion methodologies (physical gold transfers, kinetic Hawala networks) and how Western financial intelligence (FININT) made these methods obsolete. The Digital Upgrade: Defining the adversary's pivot toward digital obfuscation: large-scale identity spoofing, the weaponization of golden passports, automated shadow banking, and the exploitation of Western corporate registry loopholes. II. Case Study: Deconstructing the Zanjani Infrastructure (7 mins) State-Backed Infrastructure Spoofing: How the network engineered a parallel synthetic economy by standing up "phantom" entities designed to mimic legitimate financial nodes. The "CEO Cat" OPSEC Failure: A high-speed forensic deep-dive into the critical vulnerability that unraveled the network. I will demonstrate how our team exploited a single operational security (OPSEC) failure—leveraging social media metadata and a stock-footage "CEO"—to pivot into a multi-billion dollar illicit node. III. The "Identity Exploit" & Live Network Pivot (8 mins) KYC Circumvention & Heuristics: A technical analysis of how the adversary utilizes golden passports and sophisticated forgeries to systematically bypass Know Your Customer (KYC) controls within the UK Companies House. I will highlight the specific registry "Red Flags" and behavioral fingerprints of state-sponsored phantom firms hiding in plain sight. Live Correlation Engine: A rapid, unscripted demonstration of an advanced OSINT pivot. I will show the audience how to transition from a single anomalous corporate filing to mapping out a vast illicit network in real-time, synthesizing highly fragmented digital footprints. IV. Conclusion: The Attribution Gap (2 mins) Closing the Loop: Why the systemic failure to verify digital identity against physical reality remains the ultimate vulnerability in global security, and how OSINT bridges this intelligence gap. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/ Track 1 Mahtab Divsalar PUBLISH BMXZU3@@cfp.troopers.de -BMXZU3 Coffee Break en en 20260624T103000 20260624T110000 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/ Track 2 PUBLISH WDATRC@@cfp.troopers.de -WDATRC ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients en en 20260624T110000 20260624T120000 1.00000

ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients

In this talk we will revisit both the currently known attacks on ADCS and on WSUS and combine them with a new twist. Certificate templates are often misconfigured in ADCS environments and can lead to complete domain takeover, for example with the ESC1 technique. In our experience, mitigations against ESC1 in particular often remain incomplete and can leave room for further attacks, some of which have not been publicly discussed so far. For WSUS, we will give an overview over past attacks, which in theory exist since 2015. However, our impression is that these attacks are not a common part of security assessments. In the following we combine the research on ADCS with the MitM attack on WSUS to gain command execution on Windows machines, which are configured in accordance with best practices. During internal discussions, we realized that the underlying problem is not specific to WSUS at all, but rather rooted in ADCS and the trust relationships in Active Directory. This lead to the creation of a new ESC number, so this specific configuration of certificate templates can easily be identified and mitigated. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/WDATRC/ Track 2 Alexander Neff Phil Knüfer PUBLISH 8CBZWS@@cfp.troopers.de -8CBZWS Tier Breakers: Blind Spots in Cloud-Managed PAWs en en 20260624T120000 20260624T130000 1.00000

Tier Breakers: Blind Spots in Cloud-Managed PAWs

<!-- --> PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/ Track 2 Thomas Naunheim Martin Sohn Christensen PUBLISH EYCQ8U@@cfp.troopers.de -EYCQ8U Lunch Break en en 20260624T130000 20260624T141500 1.01500

Lunch Break

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/ Track 2 PUBLISH EZCTEQ@@cfp.troopers.de -EZCTEQ Nested APP Authentication - Undocumented Risk and Conditional Access Bypass en en 20260624T141500 20260624T151500 1.00000

Nested APP Authentication - Undocumented Risk and Conditional Access Bypass

This talk presents a new security vector in Nested App Authentication (NAA) and shows how this design can lead to unexpected access expansion and Conditional Access bypass. Nested App Authentication is designed to improve user experience by allowing broker applications, such as Microsoft Teams, to request access tokens on behalf of nested applications. However, this design also creates a new attack surface. If an attacker obtains a broker refresh token, they may be able to exchange it for access tokens without requiring additional user interaction. In our research, we discovered that several nested applications have pre-authorized access to sensitive cloud resources, including Azure Resource Manager (ARM). This creates a risky situation when compromising a device that only uses a broker application, such as Teams, may still allow attackers to gain access to critical Azure resources. We also identified multiple Conditional Access bypass scenarios related to NAA token exchange. These bypasses affect common security controls such as MFA enforcement, device compliance requirements, and token protection policies. In this talk, we will explain: - How Nested App Authentication works - How attackers can abuse broker refresh tokens - The undocumented risks in nested app pre-authorization - Multiple Conditional Access bypass techniques - The security impact on cloud environments PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/ Track 2 Jun Sheng Shi Shang-De Jiang PUBLISH QSHKUT@@cfp.troopers.de -QSHKUT Trusted by Design: How Windows Uses TPM to Secure PRTs en en 20260624T151500 20260624T161500 1.00000

Trusted by Design: How Windows Uses TPM to Secure PRTs

According to the Microsoft Digital Defence Report 2025, more than 97% of identity-related attacks are password spray or brute force attacks. The majority of these attacks are not successful, as many organisations are enforcing multi-factor authentication (MFA). From the remaining three per cent, over 2.4% are token theft attacks by malware. The number of token theft attacks has risen over the past few years, as stolen tokens give instant access to organisational resources. Depending on the stolen token, the access can be temporary or persistent. The most powerful token to steal is the Primary Refresh Token (PRT), which, along with the session key (SK), allows a threat actor to impersonate both the user and the endpoint from which the PRT was stolen. The endpoints that are not using a Trusted Platform Module (TPM) and steal PRT and SK are trivial if the threat actor can obtain administrator permissions. TPM is mandatory for Windows 11 devices, but many Windows 10 devices and Windows servers still don’t use TPM. But how does TPM really work? During this session, you will learn how TPM protects device identity and SK to prevent PRT theft. For rRed Teamers, you’ll learn how to study the details of TPM and PRT implementation. For Blue Teamers, you’ll learn how to detect PRT theft – both successes and failures. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/ Track 2 Dr Nestori Syynimaa PUBLISH QPGNZW@@cfp.troopers.de -QPGNZW Coffee Break en en 20260624T161500 20260624T164500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/ Track 2 PUBLISH XAZWFC@@cfp.troopers.de -XAZWFC Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns en en 20260624T164500 20260624T174500 1.00000

Do Apps Have Imposter Syndrome? Unmasking Token Theft Campaigns

OAuth-based attacks have become a primary vector for adversaries to bypass MFA and gain persistent access to cloud environments. While many organizations treat suspicious applications as isolated incidents, these threats are often part of large-scale campaigns spanning dozens of tenants. This session introduces the Next Campaign Finder, a structured methodology for identifying malicious OAuth clusters by correlating app metadata, ownership, and naming conventions. We will demonstrate how we used this model to uncover activity across 20+ organizations, identifying evolving tradecraft that impersonates trusted services like Adobe and DocuSign. Attendees will learn how to pivot from a single suspicious indicator to a comprehensive campaign map using standard identity and audit logs. We conclude with actionable detection strategies and mitigations that defenders can implement immediately to secure their Entra ID environments against sophisticated application-layer threats. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/ Track 2 Sapir Federovsky Shahar Dorfman PUBLISH TVDCFG@@cfp.troopers.de -TVDCFG Windows Deployment Service: An AD Blind Spot? en en 20260624T174500 20260624T181500 0.03000

Windows Deployment Service: An AD Blind Spot?

# Outline ## I. Introduction and Reminders ### A. Main technical terms demystified - What exactly is PXE? Spoiler it's not a protocol, but a boot mechanism built on top of DHCP and TFTP - Role of WDS in an Active Directory environment - Interaction with MDT (Microsoft Deployment Toolkit) for automated deployment workflows ### B. Origin of My Research and Where WDS Still Exists - Initially identified during real-world penetration tests, this exposure repeatedly appeared across multiple clients (including environments considered up to date). - In most cases, it was found in typical enterprise infrastructures where WDS had survived several Windows migrations, often within flat or poorly segmented networks, alongside abandoned yet still reachable servers. ### C. Why It Becomes a Problem and Why It Is Still Here in 2026 - Common misconfigurations that increase exposure across information systems - Online tutorials that explain how to use WDS and MDT, but rarely address security implications - Credentials often stored in deployment workflows to simplify administrative tasks - Implicit trust placed in the deployment infrastructure for years by sysadmins - Residual artifacts left behind after partial decommissioning of the WDS role - Migration complexity and low perceived risk among administrators: managing network-based deployments is operationally complex, and changing solutions requires extensive testing and training - Reluctance to pay for SCCM or migrate to Intune, a cloud-oriented solution ## II. Demos ### A. Reconnaissance Phase #### 1. Without Credentials - DHCP & TFTP - Simulate a PXE client using a VM or a physical machine, attempt to boot via PXE, and investigate sensitive files (credentials, etc.) exposed over the TFTP protocol (only possible if network segmentation is weak) - Obtain the PXE server address by requesting it from the DHCP server #### 2. With Active Directory Credentials - LDAP or SMB ##### LDAP Object Enumeration to Retrieve the PXE Server - Practical techniques for enumerating WDS-related objects in Active Directory (when domain-integrated) ##### SMB Enumeration - Discovery of SMB shares whose names almost never change: `REMINST\` (readable by any authenticated domain user by default, and considered normal behavior) or `DeploymentShare$\` (usually restricted to the local admin and, in practice, to domain administrators as well) - Why SMB is often more practical than TFTP from an attacker’s perspective when targeting a WDS server ### B. Exploitation - Manual #### 1. Direct Credential Extraction - Direct access to deployment configuration and automation files that may contain credentials #### 2. Offline Image Abuse - Inspection of `.wim` images when no credentials are exposed in accessible shares (focus on the WinPE image) - Local extraction and file system reconstruction for credential hunting #### 3. Supply Chain Attack - Misconfigured deployment server in production you said? Attack surface: - Misconfigured `DeploymentShare$\` with read and write access for all domain users - Ability to modify existing deployment scripts (Malicious code execution during the next deployment cycle without creating a new task sequence) ### C. Exploitation – Partially Automated - Introducing the module wds_mdt from nxc (NetExec) - Brief overview of other existing tools - Step-by-step demonstration with sequential screenshots of the attack workflow ## III. What About Detection? - Why standard EDR/XDR solutions usually do not generate alerts - Operations resemble legitimate administrative activity - Only noisy behavior, such as large SMB scans to locate the `REMINST\` share, tends to trigger detection - Logging blind spots in both Windows and network monitoring - How detection and logging can be improved, and what preventive measures can be implemented ## IV. Remediation and Defensive Guidance - Fully decommission or isolate the WDS server (if WDS is no longer used) - Clean up deployment share files, including `REMINST\` and `DeploymentShare$\` - Use a dedicated network segment for PXE traffic in any case - Deploy a dedicated DHCP server isolated from the main DHCP infrastructure - Consider migrating to MECM or third-party solutions such as Ivanti or FOG Project ## V. Takeaways - WDS remains widely overlooked in many enterprise environments, which makes it a particularly valuable Active Directory pivot point from an attacker’s perspective. - Deployment SMB shares and associated WinPE images frequently expose credentials or sensitive configuration data, even in infrastructures considered mature or up to date. - Removing the WDS role alone does not eliminate the risk. Residual deployment shares and legacy configuration artifacts must also be audited and cleaned. - Most abuse scenarios rely on legitimate protocols and expected administrative behavior. In practice, this type of activity has never triggered an EDR or XDR alert during real-world engagements. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/ Track 2 Geoffrey Sauvageot-Berland PUBLISH G8FH3R@@cfp.troopers.de -G8FH3R From Packets to Intent: Hunting Adversaries in AI Telemetry en en 20260624T181500 20260624T184500 0.03000

From Packets to Intent: Hunting Adversaries in AI Telemetry

AI security changes the defender’s job, the attack surface is no longer limited to hosts, identities, and network traffic. When language becomes the interface to business logic, data access, and automated actions, malicious behavior can look like normal user interaction unless you know what to look for. This talk focuses on threat hunting in AI systems from a practical security perspective. It examines the signals defenders can use when investigating text driven attacks, including prompt structure, semantic similarity, anomalous intent, embeddings, perplexity, and suspicious workflow patterns across models, tools, and retrieval layers. The talk will also cover concrete attack scenarios such as prompt injection, abuse of agent capabilities, and attempts to extract sensitive information through model interaction. The goal is to show how defenders can move from generic AI security concerns to usable hunting methods and detection strategies that work in production environments. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/ Track 2 Raz Tel-Vered PUBLISH Q8YBDC@@cfp.troopers.de -Q8YBDC Coffee Break en en 20260624T103000 20260624T110000 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/ Track 3 PUBLISH JZ8Z3D@@cfp.troopers.de -JZ8Z3D Get in Loser, We're Upgrading the Internet -- Lessons from Deploying Post-Quantum Cryptography across Akamai's global Content Delivery Network en en 20260624T110000 20260624T120000 1.00000

Get in Loser, We're Upgrading the Internet -- Lessons from Deploying Post-Quantum Cryptography across Akamai's global Content Delivery Network

NIST standardized the first post-quantum cryptography algorithms in 2024, and browsers quickly followed with the adoption of the hybrid X25519MLKEM768 TLS 1.3 key exchange. Government around the world have since laid out timelines for the adoption of quantum-safe technologies with a time horizon of 2030-2035, meaning at this point it is almost irrelevant whether or not an actual Cryptographically Relevant Quantum Computer (CRQC) will manifest before then: huge industry sectors subject to compliance requirements will need to overhaul their entire crypto stack in the next 10 years. If you have any experience working in these industries, that is not a very long time. Across the industry, several large infrastructure service providers have already moved to X25519MLKEM768. One of them is Akamai, who provide one of the world's largest content delivery networks serving a significant portion of all internet traffic for thousands of customers across all verticals. Rolling out post-quantum cryptography across Akamai's CDN was a multi-year effort that required careful balancing of customer requirements, client capabilities, collaboration within the IETF and our industry peers, and consideration of performance impact and standards compliance across multiple legs of the common TLS connections involved in a CDN. In this talk, I will discuss the lessons learned, including key exchange algorithm selection, the impact of the increased key sizes on performance and time-to-first-byte, how to get the buy-in from your executives to fund such a large program as well as how to nudge your more conservative customers and help them in the adoption. In addition, I'll give a look ahead at what's next within the industry with respect to PQC, including the many places where TLS is used outside of an HTTPS context, what the deployment of post-quantum certificates will look like, and where else in your infrastructure you need to pay attention. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/ Track 3 Jan Schaumann PUBLISH WZ9YRV@@cfp.troopers.de -WZ9YRV Our Journey, from SBOM to ASSBOMB en en 20260624T120000 20260624T130000 1.00000

Our Journey, from SBOM to ASSBOMB

ASSBOMB is the *automotive security & software bill of material*. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/ Track 3 Martin Schmiedecker PUBLISH REMT7R@@cfp.troopers.de -REMT7R Lunch Break en en 20260624T130000 20260624T141500 1.01500

Lunch Break

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/REMT7R/ Track 3 PUBLISH FNNPCB@@cfp.troopers.de -FNNPCB Coming soon :) en en 20260624T141500 20260624T151500 1.00000

Coming soon :)

<!-- --> PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/ Track 3 PUBLISH F3XCER@@cfp.troopers.de -F3XCER Breaking the Control Plane: Exploiting MCP Servers in AI Workflows en en 20260624T151500 20260624T161500 1.00000

Breaking the Control Plane: Exploiting MCP Servers in AI Workflows

This talk presents a systematic offensive analysis of open-source MCP servers and their deployment patterns. MCP servers are increasingly embedded in AI workflows to bridge agents with external systems. In practice, they: - Hold API tokens and personal access tokens - Perform outbound HTTP requests - Read and write to local filesystems - Execute privileged automation steps - Are often bound to 0.0.0.0 by default The research focuses on: - Control-plane override via header injection: Demonstrating how unvalidated service URL headers allow attackers to redirect outbound requests, bypassing intended configuration boundaries. - Chaining SSRF into filesystem primitives: Turning outbound request control into arbitrary file write capabilities under realistic deployment conditions. - Privilege amplification in agent-driven systems: How automation workflows amplify classical primitives into infrastructure-level compromise. - Middleware and dependency-layer attack surfaces: Why reviewing tool handlers is insufficient when trust boundaries are broken earlier in the request lifecycle. As a concrete example, we will present two critical CVEs we disclosed in a widely used Atlassian MCP server that enable an unauthenticated SSRF -> arbitrary file write -> RCE chain (CVE-2026-27825, CVE-2026-27826) Beyond individual bugs, we show recurring structural weaknesses across MCP servers and explain why they are likely to become attractive lateral movement and pivot targets in enterprise AI environments. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/F3XCER/ Track 3 Yotam PUBLISH F9ANPZ@@cfp.troopers.de -F9ANPZ Coffee Break en en 20260624T161500 20260624T164500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/ Track 3 PUBLISH CSA7WS@@cfp.troopers.de -CSA7WS Every Component Passed Review — So How Did the Agent Exfiltrate Everything? en en 20260624T164500 20260624T174500 1.00000

Every Component Passed Review — So How Did the Agent Exfiltrate Everything?

Standard security reviews look at agentic AI components one at a time. Real attacks chain across trust boundaries between retrieval, planning, tool execution, memory, and inter-agent communication. This talk presents a five-zone decomposition and a seven-step methodology for tracing cross-boundary attack chains in agentic AI systems. Three worked scenarios (RAG poisoning, MCP tool-integration supply-chain attacks, multi-agent cascades) with attack trees, mapping templates, and OWASP-aligned mitigations you can apply to your own deployments. **Key takeaways:** - A five-zone decomposition that extends existing threat modeling practice to agentic AI architectures - Worked cross-zone attack paths grounded in real-world attack patterns - A seven-step methodology and ready-to-use templates to find attack chains your current reviews miss - Agentic AI attack patterns mapped to OWASP controls with concrete mitigations **Target audience:** Security architects, blue team leads, and security managers evaluating or deploying agentic AI systems **Level:** Intermediate–Advanced PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/ Track 3 Christian Schneider PUBLISH BFGHNM@@cfp.troopers.de -BFGHNM Coming soon :) en en 20260624T174500 20260624T181500 0.03000

Coming soon :)

<!-- --> PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/ Track 3 PUBLISH RRYVJ3@@cfp.troopers.de -RRYVJ3 Novel attack techniques targeting the underlying infrastructure of Bedrock applications en en 20260624T181500 20260624T184500 0.03000

Novel attack techniques targeting the underlying infrastructure of Bedrock applications

1. Introduction - 4 minutes In this introduction, we will give a quick overview of Bedrock applications and how they integrate with the AWS ecosystem. In the following sections we will demonstrate novel attack techniques against Bedrock applications and describe possible mitigations. AWS Bedrock has become the go-to managed AI service for enterprises who want to use GenAI in their workflow. Bedrock's native integration with compute resources, application logic, serverless functions, and cloud storage makes it a capable platform for deploying foundation models at scale. Security research is focused almost exclusively on LLM-layer concerns like prompt injection and jailbreaks, leaving the infrastructure layer largely unexamined. We will take the audience through practical attack techniques targeting Bedrock-specific configurations and show how attackers are already exploiting the gap between "we deployed AI" and "we secured it”. 2. How companies misuse Bedrock due to misconceptions in security implementations – 1 minute Many companies use Bedrock with direct data access. Issues begin when they `carelessly` assign permissions, as permissions in Bedrock do not always act as one may think in an AWS multi-tenant environment. 3. Novel attack methods against Bedrock – 15 minutes a. Accessing production data from development accounts by abusing guardrails – Everyone uses guardrails in critical Bedrock applications. Guardrail permission policies may lead to data exfiltration and model abuse in unexpected ways when using common configurations. b. Bedrock agents can be abused as a privilege escalation method, exposing its inner workings, and silently `granting` privileges by exposing access keys and other credentials or secrets that it can access. 4. Conclusions & Takeaways – 5 minutes a. Recap of the attack techniques and mitigation methods. b. Takeaways for architects and security teams. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/ Track 3 Maya Parizer PUBLISH 8MDPWZ@@cfp.troopers.de -8MDPWZ Watch Your Kids: Hacking Children's Smartwatches en en 20260625T100000 20260625T110000 1.00000

Watch Your Kids: Hacking Children's Smartwatches

If you're paying attention, you'll notice that more and more young children are running around with smartwatches on their wrists (perhaps yours, too?). Sold by major mobile network operators and advertised on the subway, these watches promise a safe introduction into the digital world, a step before the first smartphone with its dangerous algorithms and the wide open Internet. For kids, these watches boast fun games and colorful designs, while parents get a way to call, text, and locate their child at any time. With nothing less than their children at stake, parents rightfully worry about safety and security. The website of leading Norwegian children's watch developer Xplora is full of promises offering just that: Total safety and peace of mind, European privacy, GDPR compliance, and German datacenters far away from Big Tech. But how much are these claims really worth? We take you along the process of hacking one of the most popular children's watches out there, from gaining initial access to running our own code on the watch. Along the way, we find critical security issues at every turn. Our PoC attacks allow us to read and write messages, virtually abduct arbitrary children, and take control over any given watch. We also give you a detailed look into the vulnerability disclosure process, with many false starts, curious fixes, and tips for how to get vendors to listen. Finally, we'll look at what changed in the aftermath of our disclosure and if parents can really sleep soundly now. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/ Track 1 Nils Rollshausen PUBLISH UZR8NA@@cfp.troopers.de -UZR8NA WhatsApp View Once: Four Exploits and a Funeral en en 20260625T110000 20260625T120000 1.00000

WhatsApp View Once: Four Exploits and a Funeral

&nbsp; PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/ Track 1 Tal Be'ery PUBLISH SBQMZU@@cfp.troopers.de -SBQMZU Lunch Break + Charity Auction en en 20260625T120000 20260625T131500 1.01500

Lunch Break + Charity Auction

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/ Track 1 PUBLISH QADSVY@@cfp.troopers.de -QADSVY A SIM Hacking Odyssey: Can a SIM hack YOU? en en 20260625T131500 20260625T141500 1.00000

A SIM Hacking Odyssey: Can a SIM hack YOU?

All mobile devices connected to contemporary cellular networks must contain a SIM card, be it a removable plastic card, or an embedded SIM (eSIM). Mobile device vendors, and users of these devices, seldom question the trust put into the SIM card and the physical interface they plug into. The result is an interface with an ever-growing complexity, and an assortment of unsafe-by-design, legacy features that remained from the early-days when they may have been useful for delivering certain carrier services to under-powered “dumb” devices. In this presentation, we describe our chronological exploration of various aspects of the SIM-ME (mobile equipment) interface. While earlier work already demonstrated the potential dangers of this attack surface, we found tooling and public information on the topic to be sparse, motivating us to dive deep into the topic. To reduce the barrier of entry, we developed open-source research tooling, beginning with SIMurai. The framework combines a smart card emulation framework with a SIM emulator built on top of it, and allows us to explore the attack surface without the need of physical (research) SIMs. We integrated SIMurai with baseband firmware emulation to enable fuzz testing, which led us to the discovery of three vulnerabilities. We were also able to reimplement existing attacks such as SIMJacker-style location stealing. Extending the insights gained from emulation, we also explored the facilities available to hostile SIM applets and malicious SIM interposers. Most recently, we developed CATana to explore the RUN AT proactive command, i.e., a specification-defined feature to allow SIM cards to issue AT commands directly to the ME. An exploration of phones and IoT modems revealed that despite little legitimate use cases, running AT commands provided by the SIM is supported on various devices. To highlight the threats posed by this interface, we developed a range of attacks. To gauge how these attacks would look in production, when victim devices are connected to real cellular networks, we extend our existing frameworks with interposing capabilities. Lastly, we look into the future of SIM-originating attacks with our SIMcurity project. We actively develop new tooling, such as SIMuscope, and provide an outlook on the new research directions we want to enable. Overall, we hope to encourage members of the community to take part in exploring and securing this ubiquitous technology. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/QADSVY/ Track 1 Tomasz Lisowski Marius Muench PUBLISH BYWYCQ@@cfp.troopers.de -BYWYCQ V2X Wardriving - They Drive, We Listen en en 20260625T141500 20260625T151500 1.00000

V2X Wardriving - They Drive, We Listen

The concept of Vehicle-to-Everything (V2X) has been circulating for years. It envisioned vehicles coordinating traffic among each other, traffic lights signalling green light phases and road signs warning drivers of road works even before the driver could see them. It turns out this vision quietly turned into reality in recent years: Many newer cars now feature Cooperative Intelligent Transport Systems and Services (C-ITS), meaning they have some ability to communicate with each other (Vehicle-to-Vehicle/V2V) or with the infrastructure around them (Vehicle-to-Infrastructure). But, how many cars are actually driving (on German roads) with such features enabled? Are there already any infrastructure components deployed which communicate actively? What kind of messages are exchanged if any? Are there privacy issues? What is the potential for attacks? To answer those questions, we dived into C-ITS standards implemented in Europe and how to use off-the-shelve components to research the protocols. In this talk, we will share our learnings about the protocols, explain how to build a setup for researching V2X for Europe, present our tooling we developed, and discuss what we discovered and what remains to be explored. ## Agenda 1. Motivation - Goals of V2X and History 2. Introduction into C-ITS 1. Competing Standards 2. C-ITS Architecture 1. Roles 2. Packet Structure 3. Types of Messages 3. C-ITS Security & Privacy Considerations 3. V2X Wardriving 1. Hardware/Software Setup 1. Hardware 2. Software 1. Available Open Source Software 2. Custom C-ITS Stack with Scapy 3. Analysis 1. Map 2. Possible Identification of Vehicle Models 3. Other Observations 4. What's Next: Security Testing of C-ITS 1. Approaches for Protocol Fuzzing 2. Limitations PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/ Track 1 Dieter Schuster Nikolai Puch PUBLISH GUKGL8@@cfp.troopers.de -GUKGL8 Coffee Break en en 20260625T151500 20260625T154500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/ Track 1 PUBLISH FB8PAJ@@cfp.troopers.de -FB8PAJ Counteroffensive AI: Pwning AI Pentesters en en 20260625T154500 20260625T161500 0.03000

Counteroffensive AI: Pwning AI Pentesters

1. The Promise vs. The Problem State of AI pentesting: what vendors claim, how agents actually work under the hood (LLM + tool chain + YOLO execution). Quick demo: AI agent solving a pentest challenge (GOAD cyberrange), finds file with password hint, tries credentials everywhere. Who placed that file? Core observation: agents consume untrusted input from the target and make autonomous decisions. This is the attack surface. Transition: forget prompt injection, what if the environment itself is hostile? 2. The SSO Dilemma How SSO works in 60 seconds: OAuth2/OIDC/SAML flow, redirects to external IdP, token exchange. Why AI agents MUST follow SSO redirects: cannot test authenticated apps otherwise, this is table-stakes functionality. The catch-22: agents cannot distinguish legitimate IdPs from attacker-controlled ones discovered in user content. Walk through failed mitigations: IdP allowlisting (fails for custom/internal IdPs), redirect-origin checking (fails for undocumented services), prompt engineering (agent still cannot verify domain legitimacy), human confirmation (defeats autonomy). Key insight: this is architectural. The feature is the vulnerability. No amount of guardrails fix this without removing the capability vendors are selling. 3. Attack Framework: Architecture & Components HON-AI — The Fake Identity Provider: Full OAuth2/OIDC/SAML implementation that looks and responds like real IdPs. Endpoint coverage: OIDC discovery, OAuth authorize/token/userinfo, Okta primary auth + MFA verify, SAML metadata/SSO, ADFS, Azure AD-style. Credential capture: usernames, passwords, client secrets, MFA codes, bearer tokens, full request logging. Response strategy: returns plausible errors ("password expired", "MFA required") to encourage agents to retry with different credentials or escalate. Domain generation: sso.target.com.attacker.net, target.okta.attacker.net, login.target.microsoftonline.attacker.net. UZI: The Mass Reference Injector: Automated injection of fake SSO references into user generated content: GitHub issues, forum posts, support tickets, user profile bios, wiki pages, comments. Payload templates per IdP style: OIDC discovery URLs, Okta-style auth, Azure AD, Auth0, SAML metadata, ADFS. Canary ID system: unique tracking identifiers embedded in URL paths for per-target attribution. Social engineering templates that AI agents find compelling: IT helpdesk notices, SSO migration announcements, disaster recovery documentation, staging environment references. 4. Live Demonstration: Single Target Attack Set up: target web application with injected SSO references, HON-AI fake IdP running, AI pentesting agent configured with test credentials. Show the injected payloads in context (forum post, support ticket, user profile). Launch AI pentest, observe agent discover SSO references during reconnaissance. Agent reasons about the references, decides to test authentication. Real time credential capture on HON-AI: user password, then client secret, then MFA code. Show the captured credentials, demonstrate they are real and usable. Discuss agent behavior: it tried multiple credential types across multiple fake endpoints, exactly as designed. 5. Mass Spray: Harvesting at Scale Economics of the attack: spray 10,000 targets once, harvest credentials as AI pentests happen over months. Canary-tracked URL structure: path-embedded IDs map captured credentials back to specific targets. UZI mass mode demonstration: generating and injecting payloads across many targets. HON-AI collection dashboard: credentials arriving over time, attributed to targets via canary IDs. The compounding problem: as AI pentest adoption grows, the value of pre-planted canaries increases. Canary propagation: injected references can spread through document indexing, aggregation, and AI-generated summaries. 6. Implications & The Hard Questions For AI pentest vendors: your agents may leak credentials to anyone who plants fake IdP references, malicious reverse DNS entries and other honeypot traps. This is not fixable with prompt engineering alone. Fully autonomous pentesting with SSO support needs security controls and guardrails beyond what is in place today. For enterprises using AI pentesting: use dedicated pentest-only accounts, rotate credentials immediately after engagement, audit user-generated content for planted references. For red teamers and adversaries: this is a new passive collection capability with minimal operational overhead. Broader implications for AI agents in adversarial environments: any agent that acts on discovered content in hostile environments faces the same class of problem. 7. Tool Release & Q&A Open-source release of HON-AI, UZI, and the victim-app test harness. Repository URL, documentation, and usage guidance. Responsible disclosure timeline and vendor notification summary. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/ Track 1 Markus Vervier PUBLISH VQRXGH@@cfp.troopers.de -VQRXGH Taking a Bite at Apple's Network Stack: Reversing Proprietary Multi-Device Protocols with logfuse en en 20260625T161500 20260625T164500 0.03000

Taking a Bite at Apple's Network Stack: Reversing Proprietary Multi-Device Protocols with logfuse

Reverse engineering proprietary network protocols means dealing with information scattered across log files, kernel traces, and network captures, often generated across multiple devices. Correlating events in these sources has been cumbersome and manual work, although their dependencies often make protocol analysis more conclusive. This talk presents the reverse engineering process of Low-Latency WiFi (LLW), Apple's proprietary link-layer protocol for real-time applications such as Sidecar Display and Continuity Camera, which has remained undocumented in prior reverse engineering of Apple's ecosystem. We walk through how correlating kernel traces, network captures, and system logs across iOS and macOS devices revealed LLW's internals. Alongside this, we publish logfuse, an open-source toolkit that made LLW's internals accessible by aggregating heterogeneous traces from iOS and macOS into a single clock-aligned timeline. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/ Track 1 Henri Jäger PUBLISH FXFPSH@@cfp.troopers.de -FXFPSH Closing en en 20260625T170000 20260625T180000 1.00000

Closing

<!-- --> PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/ Track 1 PUBLISH PQJWB7@@cfp.troopers.de -PQJWB7 I'm_in_your_cloud_v4_FINAL.pdf - hacking everyone's cloud en en 20260625T100000 20260625T110000 1.00000

I'm_in_your_cloud_v4_FINAL.pdf - hacking everyone's cloud

<!-- --> PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/ Track 2 Dirk-jan Mollema PUBLISH FPKKRA@@cfp.troopers.de -FPKKRA KDS Root Keys: All Secrets Finally Revealed en en 20260625T110000 20260625T120000 1.00000

KDS Root Keys: All Secrets Finally Revealed

After an Active Directory domain is fully compromised, malicious actors can steal KDS Root Keys using LDAP, DCSync, or ntds.dit. These keys can then be abused to unlock secrets that often go beyond the boundaries of AD. The session will include demos of BitLocker SID protector exploitation, group‑protected PFX/RSA key export, DNSSEC ZSK/KSK extraction, ASP.NET Core database connection string recovery, bulk LAPS/DSRM password export, and gMSA/dMSA password generation. Although some of variations on these attacks are already known, there will definitely be a twist to it. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/ Track 2 Michael Grafnetter PUBLISH HZHMKC@@cfp.troopers.de -HZHMKC Lunch Break + Charity Auction en en 20260625T120000 20260625T131500 1.01500

Lunch Break + Charity Auction

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/ Track 2 PUBLISH 3RETQ9@@cfp.troopers.de -3RETQ9 Popping Microsoft's Sandbox: What Falls Out of a Dataverse Container en en 20260625T131500 20260625T141500 1.00000

Popping Microsoft's Sandbox: What Falls Out of a Dataverse Container

1. The Plugin (5 min) • Quick primer on Dataverse Custom API plugins and how deployment works over the OData REST API. • Our EchoPlugin: a .NET assembly that runs commands via cmd.exe and returns output through the Dataverse API. Built and deployed using only documented platform features. • The deployment tooling we wrote (MSAL device-code auth, strong name signing, automated registration). We plan to release this. • No exploits involved. This is a standard Dataverse feature. You just need a license. 2. SYSTEM in One Command (5 min) • We land as ContainerAdministrator on Windows Server 2022 (Build 20348) with SeDebugPrivilege and SeImpersonatePrivilege. • SYSTEM via sc create with obj=LocalSystem. One command. • This sets the stage for everything that follows. We now have full access to the container's memory, filesystem, and registry. 3. What We Pulled Out (15 min) • This is the core of the talk. Once you have SYSTEM on one of these containers, the amount of sensitive material you can grab is alarming. • LSASS dump via ProcDump, which Microsoft helpfully left in the container. From that: the local Administrator NTLM hash, 28 DPAPI master keys, the boot key, LSA secrets, cached credential decryption keys. • Registry hive export (SAM, SECURITY, SYSTEM). Exfiltrated via certutil base64 encoding through the API. • Full SandboxWorker process memory dump (349 MB). Inside we found: a production RSA 2048-bit TLS private key for wus107.prd.sbx.dynamics.com (confirmed matching via OpenSSL), 52 co-located customer organization GUIDs, 4 internal Microsoft tenant IDs, cluster names and internal endpoint URIs. • Environment variables from the worker process: auth nonces, Azure app and tenant IDs, sidecar host addresses, internal service configuration. • 46 proprietary Microsoft DLLs totaling 30 MB. These include the identity model libraries (Microsoft.IdentityModel.S2S and friends), the SidecarContract library with full gRPC protobuf definitions, the SandboxWorker binary itself, and various CRM runtime components. We decompiled all of them: 13,889 C# source files. • 400 MB+ exfiltrated to our own Azure Blob Storage. Azure-to-Azure, same region, took seconds. No DLP, no alerts. 4. From DLLs to gRPC (10 min) • The SidecarContract DLLs contained the full protobuf definitions for the gRPC protocol between SandboxWorker and a host-side sidecar process. This was the key find in the DLL haul. • We built custom Go gRPC clients using those definitions to call every sidecar method. There are 20+ across 3 services. None of them require authentication. • Read methods: GetEnvironmentVariables (worker nonces, internal tenant IDs), GetWorkerAssignedMetadata (co-located org GUIDs), GetOpenIdSigningKeys (full JWKS with 5 RSA keys and cert chains), GetClusterEnvironmentSettings, GetServiceParameters. • Write methods: ReportWorkerBusy (DoS for all tenants on the container), SendCrashEvent (inject fake telemetry), SetNamingServiceProperty (modify Service Fabric naming), ProcessPortProxyRequest (create network routes to arbitrary IPs, including 169.254.169.254). • We produced an OpenAPI spec documenting 27 methods across 3 services. We'll walk through the interesting ones live. 5. Cross-Tenant Execution (7 min) • The unauthenticated sidecar, combined with org identity stored in patchable process memory, opens a path to cross-tenant code execution: steal the worker nonce, patch the org GUID in memory, send a crafted Execute request with a target org ID and your own .NET assembly. • We got context.OrganizationId to return another customer's GUID. On one container we intercepted their SDK callbacks (RetrieveMultiple for systemuser, businessunit, solution tables). • To be upfront: we proved the execution context switches, but we did not achieve full data exfiltration from a victim tenant. The bidirectional callback protocol needs more work. So this is real, and it's scary, but we're not going to oversell it. 6. What Held and What Didn't (3 min) • Credit where it's due. Microsoft blocked IMDS, filtered cross-container networking, stubbed device IOCTLs, sandboxed driver loading (returns success but never executes), no host filesystem, no Docker socket. • What failed: no auth on the sidecar, no network isolation between plugin code and infrastructure services, privileged container defaults, wide-open outbound internet, ProcDump sitting in the container, org identity in patchable memory. 7. Takeaways (5 min) • What this means if you're running Dataverse plugins or Power Platform in your environment. • The pattern here (over-privileged sandbox, unauthenticated internal services, identity in patchable memory) is not unique to Dataverse. How to audit for it in other multi-tenant platforms. • Disclosure timeline and Microsoft's response. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/ Track 2 Simon Maxwell-Stewart PUBLISH YFRZ9U@@cfp.troopers.de -YFRZ9U Jingle Thief: Cloud Identity Tradecraft in Microsoft 365 and Entra ID en en 20260625T141500 20260625T151500 1.00000

Jingle Thief: Cloud Identity Tradecraft in Microsoft 365 and Entra ID

The Jingle Thief campaign represents a modern evolution in financially motivated threat activity: a cloud-first intrusion model operating almost exclusively within Microsoft 365 and Entra ID. Initial access was achieved through phishing and smishing campaigns targeting Microsoft 365 credentials. Once inside a tenant, the actors immediately shifted to cloud-based reconnaissance, mining SharePoint and OneDrive for internal documentation related to gift card issuance processes and operational workflows. Using compromised internal accounts, the actors conducted additional phishing to expand access across the organization. Mailbox rules and forwarding settings were configured to maintain operational awareness, while phishing artifacts were moved to Deleted Items to reduce visibility. Persistence was established through device registration within the tenant and modification of authentication methods in Entra ID, enabling sustained access even as credentials were reset. In one observed case, the intrusion persisted for approximately ten months and involved more than sixty compromised accounts. This talk focuses on the identity-layer mechanics of the campaign and examines: • The Microsoft 365 and Entra ID attack lifecycle observed in victim tenants • Abuse of collaboration platforms for reconnaissance and operational scaling • Mailbox rule manipulation and internal phishing tradecraft • Device registration and authentication method modification as persistence mechanisms • Investigation challenges unique to cloud-only intrusions • Detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID logs Rather than presenting a traditional fraud narrative, this session reframes Jingle Thief as a cloud identity tradecraft model and discusses what defenders must instrument and monitor to detect similar activity. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/ Track 2 Stav Setty PUBLISH YNWFTG@@cfp.troopers.de -YNWFTG Coffee Break en en 20260625T151500 20260625T154500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/ Track 2 PUBLISH N8JZBT@@cfp.troopers.de -N8JZBT Modern Adventures in Azure Privilege Escalation en en 20260625T154500 20260625T164500 1.00000

Modern Adventures in Azure Privilege Escalation

Starting off with some basics, attendees will get a brief lesson on the fundamental concepts that support Azure tenants. Building on that foundation, we will explain what privilege escalation looks like in Azure, as compared to a traditional on-prem environment. Often in the cloud, there can be a blending of concepts that result in escalation, lateral movement, and persistence. With all of these in mind, we will then go over the escalation and lateral movement options for multiple Azure resource types. These will be focused on the permissions a user may have available, and how those permissions can be abused. We will also cover escalations from the Entra ID side and explain why that's fundamentally different from the Azure resource level escalations. Finally, we will wrap things up with a few persistence concepts in Azure and provide some resources to help with escalations. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/ Track 2 Karl Fosaaen Thomas Elling PUBLISH FZ7LBK@@cfp.troopers.de -FZ7LBK Unshelling VShell at Scale en en 20260625T100000 20260625T110000 1.00000

Unshelling VShell at Scale

At the start of the talk, we outline what kind of malware VShell is. VShell is a backdoor written in Golang. It was at one point publicly available on GitHub, which helped it become a shared tool used by a wide range of attackers. It is particularly favoured by China-nexus threat groups. We also briefly introduce the groups known to use VShell and present representative examples of their attack workflows. In particular, we focus on recent cases involving UNC5174 and UNC6586. We then examine the VShell C2 server. We obtained the VShell builder and C2 server binaries and conducted a detailed analysis. Using concrete examples from our data, we explain how VShell payloads are generated by the builder and how they communicate with the C2 server. This gives the audience an accurate view of how VShell operates. Our investigation of VShell C2 servers also revealed previously unknown findings. For example, when a specific magic packet is sent to a VShell C2 server, it is possible to retrieve a stageless VShell binary. This stageless binary contains config data, including the "vkey", and that data is not obfuscated, making it straightforward to extract. We used this behaviour to scan the internet at scale, identify VShell C2 servers, retrieve stageless binaries from them, and extract a large volume of config data. Based on the collected config data, we performed clustering and attribution analysis of threat actors using VShell, and we present the results. Some of the stageless binaries we collected had characteristics that differed from the commonly available VShell. We will also show these differences. In addition, C2 servers running with default settings can expose even more information. This includes data on victim hosts connected to the server. We analysed these data and carried out further in-depth research. We also present the results of that analysis. Finally, we discuss defensive measures for protecting organisations against VShell-related attacks. Based on our detailed analysis of these C2 servers, we developed improved detection logic that goes beyond what has previously been available. We present detection logic designed for both network security products and endpoint security products. Through this talk, the audience will gain a detailed understanding of VShell's capabilities and the characteristics of its C2 servers. They will also learn research methods for uncovering new information that supports attribution. In addition, they will see how these research findings can be applied in practice, including the development of more effective detection logic and other concrete defensive measures. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/ Track 3 Kazuya Nomura Rintaro Koike PUBLISH UR9JPA@@cfp.troopers.de -UR9JPA Living Off The Pipeline: Defensive Research, Weaponized en en 20260625T110000 20260625T120000 1.00000

Living Off The Pipeline: Defensive Research, Weaponized

For years, our research team wrote the defensive manuals. We built the "Living Off The Pipeline" (LOTP) inventory and released `poutine` (our open-source vulnerability scanner) to help defenders find the holes. But we have bad news: Threat Actors were taking notes. In early 2025, we found the "smoking gun" on BreachForums: a full attack plan for a 0-day compromise giving a direct shout-out to our defensive research as the source. Our work had become their offensive playbook. In this talk, we stop playing defense. We introduce **SmokedMeat**, the "Metasploit for CI/CD." Our research shows that 2025's Build Pipelines look like the average 2005 PHP Web App in terms of secure coding, wide open to "pwn requests" and command injections. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you. We will demonstrate a full exploitation chain: 1. **Reconnaissance:** Pivoting from unprivileged anonymous access on public repositories using `poutine` to find the weak spots. 2. **Exploitation:** Stealing private repository secrets and intellectual property via automated "pwn requests". 3. **Persistence:** The "gone in 60 seconds" jump from an ephemeral workflow runner directly to permanent Cloud Admin, implanting backdoors on build infrastructure. The era of simple "awareness" is over. This talk demonstrates why your current CI/CD security strategy is already obsolete. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/ Track 3 François Proulx PUBLISH 9SH8LT@@cfp.troopers.de -9SH8LT Lunch Break + Charity Auction en en 20260625T120000 20260625T131500 1.01500

Lunch Break + Charity Auction

Lunch Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/ Track 3 PUBLISH TPGLJU@@cfp.troopers.de -TPGLJU From Code to Coverage: A Detection Engineer's Journey Through the LDAP Wilderness en en 20260625T131500 20260625T141500 1.00000

From Code to Coverage: A Detection Engineer's Journey Through the LDAP Wilderness

BloodHound, Impacket, SOAPHound. Every red teamer's starting point, every blue teamer's blind spot. LDAP reconnaissance is how attackers learn your environment before you know they're there, and most detections for it are embarrassingly easy to bypass. This talk started as a failure. A Sigma rule that looked right, passed review, and caught nothing in production. Six months later, it turned into a complete LDAP detection stack that's caught tools the vendor community hadn't even documented yet. We'll get into the specific mechanics of why detections break. OID transformations that silently invalidate your rules, whitespace variations that make regex useless, SDFlags queries that walk straight past ACL monitoring. Then we'll flip the problem. Instead of chasing attacker syntax, we'll use Event 1644's performance fields to detect enumeration behavior statistically, something no amount of query obfuscation can hide. We'll also cover ADWS correlation for catching PowerShell-based recon that never touches LDAP at all. Everything here is running in production. You'll get real false positive rates, real tuning decisions, and Sigma rules and detection techniques you can actually use. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/ Track 3 Andrew S. PUBLISH BGTTKQ@@cfp.troopers.de -BGTTKQ Delete Is Easy – Recovery Is Not: The Reality of Entra ID Backup & Restore en en 20260625T141500 20260625T151500 1.00000

Delete Is Easy – Recovery Is Not: The Reality of Entra ID Backup & Restore

This session is aimed at identity and security professionals working with Microsoft Entra ID who want to understand the real limitations of backup and recovery in cloud identity environments. Attendees will gain a clear understanding of how deletion and recovery behave across different Entra resource types, including users, groups, Conditional Access policies, and tenant-wide configurations. The session highlights where recovery is possible, where it is limited, and where it is not available at all. In addition, we explore recent platform changes and new capabilities such as Unified Tenant Configuration Management (UTCM), and how these features shift the focus from reactive recovery to proactive configuration governance. The session combines architectural insights with practical examples and multiple live demonstrations, showing real-world behavior directly in Entra ID. Attendees will see how changes, deletions, and recovery scenarios actually behave in practice, rather than relying on documentation alone. Attendees will leave with a realistic understanding of Entra ID protection strategies and actionable guidance for improving resilience without relying solely on third-party backup solutions. PUBLIC CONFIRMED Talk (50 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/ Track 3 Klaus Bierschenk PUBLISH 3UUGNV@@cfp.troopers.de -3UUGNV Coffee Break en en 20260625T151500 20260625T154500 0.03000

Coffee Break

Coffee Break PUBLIC CONFIRMED Special https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/ Track 3 PUBLISH M7QTN7@@cfp.troopers.de -M7QTN7 Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection en en 20260625T154500 20260625T161500 0.03000

Integrating Incident Analysis and Digital Forensics Tooling for Automated Compromise Detection

This talk addresses the growing need for efficient incident analysis in response to the increasing number and impact of computer security incidents. While automation is essential to reduce investigation time, existing tools in digital forensics and incident analysis often operate in isolation and lack comprehensive orchestration. We present a modular framework that integrates established forensic and analysis tools using a decision-tree-based control mechanism. The talk includes a live demonstration of the framework, an overview of its architecture, and an explanation of how it detects compromised disk images. Finally, we discuss current limitations and outline future extensions of the framework. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/ Track 3 Ann-Marie Belz PUBLISH ZJPKLN@@cfp.troopers.de -ZJPKLN The Edge of Tomorrow: Today's Devices, Tomorrow's Incidents en en 20260625T161500 20260625T164500 0.03000

The Edge of Tomorrow: Today's Devices, Tomorrow's Incidents

This talk will examine various aspects of edge-device compromises. We will share real-world findings and experiences from responding to an edge-device compromise, highlighting the challenges, lessons learned, and best practices for forensic analysis and incident response. We will also explore detection opportunities and recommendations for improving monitoring and response capabilities. Attendees will leave with actionable incident-response tactics and detection-engineering clues for spotting and stopping similar intrusions. PUBLIC CONFIRMED Lightning Talk (20 minutes talk / 10 minutes Q&A) https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/ Track 3 Mathieu LE CLEACH Mael Pignol