0.3 tr26-cfp 2026-06-24 2026-06-25 2 00:05 https://cfp.troopers.de Europe/Berlin Track 1 Special 2026-06-24T09:00:00+02:00 09:00 01:30 Coming soon :) tr26-cfp-508-keynote Attack & Research en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/ https://cfp.troopers.de/tr26-cfp/talk/RNDCKA/feedback/ Track 1 Special 2026-06-24T10:30:00+02:00 10:30 00:30 Coffee Break tr26-cfp-491-coffee-break Attack & Research en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/ https://cfp.troopers.de/tr26-cfp/talk/BYBLQL/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T11:00:00+02:00 11:00 01:00 As enterprises integrate "Agentic AI" into their infrastructure, they are inadvertently exposing critical business logic to stochastic actors. This talk explores the Execution Layer of autonomous agents, revealing how LLMs can be weaponized to act as proxies for traditional web attacks. We will introduce "Agentic Mass Assignment," a technique where attackers coerce agents to hallucinate undocumented parameters (like status: APPROVED or is_admin) to exploit backend ORM vulnerabilities. Additionally, we will demonstrate "Cognitive Denial of Service," using semantic paradoxes to trap agents in infinite reasoning loops that result in "Denial of Wallet." Attendees will see live exploitation of these logic flaws and receive Agent-Fuzz, an open-source tool for auditing agentic middleware. tr26-cfp-311-agentic-chaos-weaponizing-autonomous-ai Attack & Research Alon Friedman en The Problem: The Middleware Gap Security teams currently focus on "Prompt Injection" (content safety), ignoring the far greater risk: the "Middleware Gap" where non-deterministic LLMs interface with rigid REST APIs. In this session, we prove that Agentic Frameworks (like LangChain or Semantic Kernel) often lack the strict schema enforcement required to protect legacy backends. Vector 1: The Integrity Hack (Agentic Mass Assignment) We demonstrate how an Agent can be manipulated to function as an "Intelligent Fuzzer." Mechanism: By reversing the prompt templates used for tool execution, we show how to force the LLM to "invent" JSON fields based on common developer conventions. The Vulnerability: We exploit the disconnect between the Frontend Schema (OpenAPI) and the Backend Database Models (ORM). We show how the hallucinated parameters pass through the Agent and are blindly accepted by backends vulnerable to Mass Assignment. Impact: Privilege escalation and data corruption without direct database access. Demo: A live walkthrough of bypassing a Corporate Expense Approval flow by injecting a hidden override parameter via natural language. Vector 2: The Availability Hack (Cognitive DoS) We introduce the concept of "Economic Asymmetry" in AI attacks. Mechanism: We use Generative Style Injection (GSI) to poison the agent's context with pathological reasoning styles (e.g., recursive bureaucracy). The Vulnerability: Semantic loops consume tokens at every step. We show that rate limits based on "requests per second" fail to catch a single session that enters a self-sustaining "Cognitive Deadlock." Impact: Rapid depletion of API quotas and cloud budgets ("Denial of Wallet"). Demo: Triggering a negotiation loop between autonomous agents that consumes the entire monthly budget in minutes. Solution & Tooling: We conclude with defense. We will release Agent-Fuzz (a scanner for schema hallucination) and discuss architectural patterns for "Zero-Trust Schema Validation" at the API Gateway level. false https://cfp.troopers.de/tr26-cfp/talk/WXKS38/ https://cfp.troopers.de/tr26-cfp/talk/WXKS38/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T12:00:00+02:00 12:00 01:00 The Windows Recovery Environment (WinRE) is a foundational component of the Windows stack, embedded in over a billion devices worldwide. It plays a critical role in recovering systems from various types of severe failures. A fundamental requirement for any recovery operation is identifying its associated disk volume. To meet this requirement, volume lookup functionalities are implemented separately in both the WinRE boot phase and the WinRE runtime phase. Historically, maintaining two separate mechanisms for retrieving the same information has proven fragile and error prone. This raises a critical question: what happens when these lookup mechanisms fall out of sync? In this talk, we introduce a new and novel attack class on WinRE. Our exploration begins with an analysis of the various volume lookup logics and the inconsistencies between them. We then reveal 4 unique vulnerabilities that confuse WinRE to mistakenly recover an attacker-controlled volume instead of the intended associated volume. Building on these confusion primitives, we present 2 exploitation techniques that escalate the impact to a full BitLocker bypass, allowing extraction of all BitLocker-protected secrets in several different ways. To conclude the presentation, we will share how we collaborated with the engineering teams to develop a comprehensive, end-to-end mitigation that addresses the entire attack class. This talk offers valuable insights into the intersection of BitLocker, Windows Boot, and Windows Recovery, highlighting how combining knowledge across these domains leads to impactful results. tr26-cfp-429-confused-recovery-a-new-attack-class-on-windows-recovery Attack & Research Alon Leviev en &nbsp; false https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/ https://cfp.troopers.de/tr26-cfp/talk/CLLDDN/feedback/ Track 1 Special 2026-06-24T13:00:00+02:00 13:00 01:15 Lunch Break tr26-cfp-500-lunch-break Attack & Research en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/ https://cfp.troopers.de/tr26-cfp/talk/WXYKHJ/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T14:15:00+02:00 14:15 01:00 The core routers that form the Internet backbone are among the most critical but least scrutinized pieces of infrastructure. While many talks focus on BGP, routing policies or DDoS, comparatively little attention is paid to the attack surface introduced by modern virtualization and management features inside high-end routing platforms. tr26-cfp-422-backbones-under-attack-software-vulnerabilities-in-core-routers Pierre Emeriaud en In this talk I will review the evolution of router malware and then present original research showing a practical attack path to persistent backdoors on modern backbone platforms by abusing virtualization features and two distinct privilege escalation vulnerabilities I discovered that enable installation of such persistent implants. To avoid creating a roadmap for abuse, this presentation focuses on impact, architecture, detection opportunities and robust mitigations rather than exploit code or step‑by‑step instructions. I will close with responsible-disclosure outcomes and a prioritized mitigation checklist for network operators and vendors. false https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/ https://cfp.troopers.de/tr26-cfp/talk/ABQT8K/feedback/ Track 1 Special 2026-06-24T15:15:00+02:00 15:15 01:00 <!-- --> tr26-cfp-516-coming-soon Attack & Research en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/ https://cfp.troopers.de/tr26-cfp/talk/FYSNJ7/feedback/ Track 1 Special 2026-06-24T16:15:00+02:00 16:15 00:30 Coffee Break tr26-cfp-493-coffee-break Attack & Research en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/ https://cfp.troopers.de/tr26-cfp/talk/UUKQNN/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T16:45:00+02:00 16:45 01:00 Disagree with the latest price hikes of your local store? Then this talk is for you! As price labels, commonly called electronic shelf labels (ESL tags), play a major role in store architecture, they increase the potential attack surface and attract attention from adversaries. To understand how these products work, we examined Android apps, web-based management software, Bluetooth Low Energy (BLE), and 2.4 GHz traffic, as well as their hardware components. In the process, we identified architectural and implementation weaknesses across every part of the ESL infrastructure. tr26-cfp-391-priceless-hacking-electronic-shelf-labels Attack & Research Marius Karstedt en In recent years, more and more convenience stores have upgraded their infrastructure by going digital and they will continue to do so. This includes introducing ESL tags, which enable dynamic pricing based on demand and reduce labor costs. Depending on their size and budget, stores can choose from two major types of ESL tags that either use BLE or work on other radio frequencies. The former requires only a smartphone to interact with, while the latter relies on an infrastructure of access points and a central management system. In this talk, we will take you on a journey through the last couple of months of reverse engineering products from two different manufacturers. Throughout this process, we analyzed two different BLE ESL tags and one ESL tag that works with an access point. We successfully performed attacks such as battery drainage and arbitrary writes, which led to denial-of-service and achieved complete takeover of the management system that controls products and templates. The possibilities were endless. We identified systematic vulnerabilities in multiple ESL products and propose a general mitigation strategy for the manufacturers. When sharing our findings with the manufacturers we have been unable to get their ear leaving these issues unpatched and up to the store owners to mitigate. false https://cfp.troopers.de/tr26-cfp/talk/DAARST/ https://cfp.troopers.de/tr26-cfp/talk/DAARST/feedback/ Track 1 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-24T17:45:00+02:00 17:45 00:30 # Whodunit As a reporter, it is one of the main parts of my job to find out who is behind criminal enterprises such as ransomware groups. And while attribution might be hard, in some cases it is doable. By pivoting, using leaks and correlating it with other publicly available information. I'll show many examples that will help the audience better understand how reporters use techniques familiar within the threat intelligence landscape. During the last couple of years I was part of four investigations that ended up identifying people for the first time publicly. But the main part of the talk will deal with one question: Under what circumstances does it make sense to publish? Because the decision to put out the story has immediate consequences. One of them being that law enforcement agencies, who might have been trying to catch the very same actors, will likely no longer be able do to that. Since the actors also read our reporting stories and take precautions. For one, they stop traveling to countries where they run the risk of being arrested and then extradited. Knowing this, I'm going to make the case that it is important and in the public's interest to publish such investigations. tr26-cfp-464-eta-when-reporting-on-cybercrime Attack & Research Hakan en &nbsp; true https://cfp.troopers.de/tr26-cfp/talk/STKZXP/ https://cfp.troopers.de/tr26-cfp/talk/STKZXP/feedback/ Track 1 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-24T18:15:00+02:00 18:15 00:30 Modern sanctions evasion has moved beyond traditional shell companies and into a parallel digital economy. This session presents a forensic deconstruction of a multi-billion dollar state-sponsored laundering infrastructure that successfully bypassed Western oversight for over a decade. This network represents "Laundering 2.0"—a sophisticated architecture of synthetic identities and automated shadow-banking nodes. Based on an intensive multi-year investigation into one of the world's largest evasion networks, this talk moves beyond the headlines to reveal the specific OSINT "pivots" used to link phantom Western corporate entities to state-sponsored actors. We will analyze the technical failures in corporate registries that allow these "Identity Exploits" to persist. Attendees will learn: The "CEO Cat" Methodology: A forensic walkthrough of moving from a single stock-footage identity to unmasking a multi-billion dollar node using metadata analysis and digital "tells." Identity Spoofing & Registry Exploitation: Technical signatures for detecting forged documentation and "synthetic" directors used to bypass KYC verification in high-value corporate registries. Infrastructure Evolution: An analysis of how state-sponsored evasion has "patched" its vulnerabilities, moving toward decentralized digital identities and the exploitation of systemic gaps in global corporate infrastructure. tr26-cfp-433-sanctions-evasion-2-0-osint-methodologies-for-unmasking-the-iranian-regime-s-financial-evolution Attack & Research Mahtab Divsalar en I. The 2.0 Threat Architecture (3 mins) The "Laundering 1.0" Baseline: A rapid retrospective of legacy evasion methodologies (physical gold transfers, kinetic Hawala networks) and how Western financial intelligence (FININT) made these methods obsolete. The Digital Upgrade: Defining the adversary's pivot toward digital obfuscation: large-scale identity spoofing, the weaponization of golden passports, automated shadow banking, and the exploitation of Western corporate registry loopholes. II. Case Study: Deconstructing the Zanjani Infrastructure (7 mins) State-Backed Infrastructure Spoofing: How the network engineered a parallel synthetic economy by standing up "phantom" entities designed to mimic legitimate financial nodes. The "CEO Cat" OPSEC Failure: A high-speed forensic deep-dive into the critical vulnerability that unraveled the network. I will demonstrate how our team exploited a single operational security (OPSEC) failure—leveraging social media metadata and a stock-footage "CEO"—to pivot into a multi-billion dollar illicit node. III. The "Identity Exploit" & Live Network Pivot (8 mins) KYC Circumvention & Heuristics: A technical analysis of how the adversary utilizes golden passports and sophisticated forgeries to systematically bypass Know Your Customer (KYC) controls within the UK Companies House. I will highlight the specific registry "Red Flags" and behavioral fingerprints of state-sponsored phantom firms hiding in plain sight. Live Correlation Engine: A rapid, unscripted demonstration of an advanced OSINT pivot. I will show the audience how to transition from a single anomalous corporate filing to mapping out a vast illicit network in real-time, synthesizing highly fragmented digital footprints. IV. Conclusion: The Attribution Gap (2 mins) Closing the Loop: Why the systemic failure to verify digital identity against physical reality remains the ultimate vulnerability in global security, and how OSINT bridges this intelligence gap. true https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/ https://cfp.troopers.de/tr26-cfp/talk/YZQMBB/feedback/ Track 2 Special 2026-06-24T10:30:00+02:00 10:30 00:30 Coffee Break tr26-cfp-498-coffee-break Active Directory & Entra ID Security en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/ https://cfp.troopers.de/tr26-cfp/talk/BMXZU3/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T11:00:00+02:00 11:00 01:00 The Active Directory Certificate Service (ADCS) has been studied extensively, which lead to an entire category of privilege escalation techniques: the ESC attacks. We combined known research about attacks on ADCS and the Windows Server Update Service (WSUS) to compromise Windows machines in supposedly "secure" environments. As this technique can be generalized, we decided to introduce the new escalation number ESC17. tr26-cfp-412-esc17-using-adcs-to-attack-https-enabled-wsus-clients Active Directory & Entra ID Security Alexander NeffPhil Knüfer en In this talk we will revisit both the currently known attacks on ADCS and on WSUS and combine them with a new twist. Certificate templates are often misconfigured in ADCS environments and can lead to complete domain takeover, for example with the ESC1 technique. In our experience, mitigations against ESC1 in particular often remain incomplete and can leave room for further attacks, some of which have not been publicly discussed so far. For WSUS, we will give an overview over past attacks, which in theory exist since 2015. However, our impression is that these attacks are not a common part of security assessments. In the following we combine the research on ADCS with the MitM attack on WSUS to gain command execution on Windows machines, which are configured in accordance with best practices. During internal discussions, we realized that the underlying problem is not specific to WSUS at all, but rather rooted in ADCS and the trust relationships in Active Directory. This lead to the creation of a new ESC number, so this specific configuration of certificate templates can easily be identified and mitigated. false https://cfp.troopers.de/tr26-cfp/talk/WDATRC/ https://cfp.troopers.de/tr26-cfp/talk/WDATRC/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T12:00:00+02:00 12:00 01:00 Microsoft Intune and Entra ID have become the default stack for cloud-managed Privileged Access Workstations (PAWs) - and with them, organizations assume they can achieve a strong and clear tier separation within a single tenant. This session dissects the real-world failures and mistakes of tiered administration in cloud-managed PAW environments. We map concrete attack paths that breach tier boundaries: Intune RBAC scope misconfigurations that grant cross-tier device access, Entra ID role assignments with implicit permissions that span administrative tiers, and platform-level limitations that (currently) no configuration can fully compensate for. Beyond exposing the gaps, we present tooling and methods to enumerate these attack paths within your own tenant - identifying tier boundary violations and quantifying blast radius before an attacker does. We then compare architectural mitigations, including the dedicated administration tenant ("Red Tenant") model, against the single-tenant default most organizations live with. Attendees leave with a clear model of where the tier boundary actually sits in a cloud-managed PAW deployment, specific detection and assessment techniques, and a realistic view of the architectural trade-offs involved. tr26-cfp-434-tier-breakers-blind-spots-in-cloud-managed-paws Active Directory & Entra ID Security Thomas NaunheimMartin Sohn Christensen en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/ https://cfp.troopers.de/tr26-cfp/talk/8CBZWS/feedback/ Track 2 Special 2026-06-24T13:00:00+02:00 13:00 01:15 Lunch Break tr26-cfp-503-lunch-break Active Directory & Entra ID Security en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/ https://cfp.troopers.de/tr26-cfp/talk/EYCQ8U/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T14:15:00+02:00 14:15 01:00 In the past, several studies on Entra ID token exchange abuse mainly focused on FOCI (Family of Client IDs) feature abuse and scope-based Conditional Access bypass cases. Although prior work explored these areas in depth, we noticed that the NAA (Nested APP Authentication) token exchange attack surface has not been widely discussed. In this talk, we will discuss the undocumented risks of NAA token exchange and how NAA can lead to Conditional Access bypass. From our findings, we identified the following: - NAA Undocumented Risk When an attacker compromises a Broker Client, such as Teams or Outlook, the attacker can use NAA to obtain the Azure Resource Manager user_impersonation scope. This means that even if only a Broker Client exists on the device, the attacker may still be able to use NAA to compromise cloud resources. - Conditional Access Bypass During our exploration, we found that NAA can lead to Conditional Access bypass, including MFA bypass, Require Compliant Device bypass, and Token Protection bypass, and we also identified two new bypass series: Broker Client–based bypass and Nested Client–based bypass. tr26-cfp-400-nested-app-authentication-undocumented-risk-and-conditional-access-bypass Active Directory & Entra ID Security Jun Sheng ShiShang-De Jiang en This talk presents a new security vector in Nested App Authentication (NAA) and shows how this design can lead to unexpected access expansion and Conditional Access bypass. Nested App Authentication is designed to improve user experience by allowing broker applications, such as Microsoft Teams, to request access tokens on behalf of nested applications. However, this design also creates a new attack surface. If an attacker obtains a broker refresh token, they may be able to exchange it for access tokens without requiring additional user interaction. In our research, we discovered that several nested applications have pre-authorized access to sensitive cloud resources, including Azure Resource Manager (ARM). This creates a risky situation when compromising a device that only uses a broker application, such as Teams, may still allow attackers to gain access to critical Azure resources. We also identified multiple Conditional Access bypass scenarios related to NAA token exchange. These bypasses affect common security controls such as MFA enforcement, device compliance requirements, and token protection policies. In this talk, we will explain: - How Nested App Authentication works - How attackers can abuse broker refresh tokens - The undocumented risks in nested app pre-authorization - Multiple Conditional Access bypass techniques - The security impact on cloud environments false https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/ https://cfp.troopers.de/tr26-cfp/talk/EZCTEQ/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T15:15:00+02:00 15:15 01:00 Identity-related attacks remain a critical threat, with over 97% involving password spraying or brute force attempts. While multi-factor authentication (MFA) mitigates most of these, the remaining incidents—predominantly token theft via malware—account for more than 2.4% and are on the rise. Stolen tokens enable immediate, potentially persistent access to organisational resources. The Primary Refresh Token (PRT) combined with the Session Key (SK) allows impersonation of both users and endpoints. Endpoints lacking a Trusted Platform Module (TPM) are particularly vulnerable, as administrator privileges can facilitate trivial PRT and SK theft. Although TPM is required for Windows 11, many Windows 10 devices and servers remain unprotected. This session explores the mechanics of TPM in safeguarding device identity and SK. Red Teamers will gain insights into dissecting TPM and PRT implementations for offensive strategies, while Blue Teamers will learn techniques to detect both successful and attempted PRT thefts. tr26-cfp-371-trusted-by-design-how-windows-uses-tpm-to-secure-prts Active Directory & Entra ID Security Dr Nestori Syynimaa en According to the Microsoft Digital Defence Report 2025, more than 97% of identity-related attacks are password spray or brute force attacks. The majority of these attacks are not successful, as many organisations are enforcing multi-factor authentication (MFA). From the remaining three per cent, over 2.4% are token theft attacks by malware. The number of token theft attacks has risen over the past few years, as stolen tokens give instant access to organisational resources. Depending on the stolen token, the access can be temporary or persistent. The most powerful token to steal is the Primary Refresh Token (PRT), which, along with the session key (SK), allows a threat actor to impersonate both the user and the endpoint from which the PRT was stolen. The endpoints that are not using a Trusted Platform Module (TPM) and steal PRT and SK are trivial if the threat actor can obtain administrator permissions. TPM is mandatory for Windows 11 devices, but many Windows 10 devices and Windows servers still don’t use TPM. But how does TPM really work? During this session, you will learn how TPM protects device identity and SK to prevent PRT theft. For rRed Teamers, you’ll learn how to study the details of TPM and PRT implementation. For Blue Teamers, you’ll learn how to detect PRT theft – both successes and failures. false https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/ https://cfp.troopers.de/tr26-cfp/talk/QSHKUT/feedback/ Track 2 Special 2026-06-24T16:15:00+02:00 16:15 00:30 Coffee Break tr26-cfp-499-coffee-break Active Directory & Entra ID Security en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/ https://cfp.troopers.de/tr26-cfp/talk/QPGNZW/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T16:45:00+02:00 16:45 01:00 What began as a simple search for an OAuth application named “0365” quickly uncovered a broader threat: three distinct malicious OAuth application campaigns abusing the relationship between Azure applications and service principals. Using a pivoting methodology and detection model, we expanded beyond known indicators to map the full scope of these campaigns, identifying activity across more than 20 organizations. The talk opens by outlining the OAuth application attack surface in Azure AD (Entra ID), explaining how attackers abuse consent flows, permissions, and application registrations, and why traditional security controls often fail to detect this activity. We then introduce our “Next Campaign Finder,” a structured detection approach built on four components: establishing baselines of legitimate OAuth applications, identifying recurring malicious traits, correlating metadata such as ownership, naming conventions, and reply URLs across tenants, and applying a weighted scoring model to prioritize high-risk applications. Using this model, we reveal a malicious OAuth campaign impersonating trusted services such as Adobe and DocuSign, highlighting its defining characteristics. We then compare this activity with an earlier OAuth campaign discovered by the model dating back to 2019 and examine how attackers' tradecraft has evolved over time. A key focus of the talk is practical pivoting. We demonstrate how defenders can expand from a single known malicious app to a broader set of indicators. All techniques are presented in a way that allows any attendee to implement them directly in their own environment using standard identity and audit logs, without relying on vendor-exclusive telemetry. We conclude with actionable defensive guidance, including detection strategies and mitigations enterprise defenders can apply today, lessons learned from the research process, and our perspective on how OAuth-based attacks are likely to evolve. tr26-cfp-289-do-apps-have-imposter-syndrome-unmasking-token-theft-campaigns Active Directory & Entra ID Security Sapir FederovskyShahar Dorfman en OAuth-based attacks have become a primary vector for adversaries to bypass MFA and gain persistent access to cloud environments. While many organizations treat suspicious applications as isolated incidents, these threats are often part of large-scale campaigns spanning dozens of tenants. This session introduces the Next Campaign Finder, a structured methodology for identifying malicious OAuth clusters by correlating app metadata, ownership, and naming conventions. We will demonstrate how we used this model to uncover activity across 20+ organizations, identifying evolving tradecraft that impersonates trusted services like Adobe and DocuSign. Attendees will learn how to pivot from a single suspicious indicator to a comprehensive campaign map using standard identity and audit logs. We conclude with actionable detection strategies and mitigations that defenders can implement immediately to secure their Entra ID environments against sophisticated application-layer threats. false https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/ https://cfp.troopers.de/tr26-cfp/talk/XAZWFC/feedback/ Track 2 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-24T17:45:00+02:00 17:45 00:30 Windows Deployment Services (WDS) is a partially deprecated Windows role providing PXE boot services for deploying machines over a LAN. Although its usage has declined since the release of Windows 11, it often remains in Active Directory environments because it has been overlooked, leaving even up-to-date networks potentially exposed. Default administrative practices, sometimes masked by Windows behaviors, further increase the attack surface. The recent deprecation of Microsoft Deployment Toolkit (MDT), widely used for image orchestration and customization alongside WDS, accelerates the ecosystem’s retirement while leaving existing deployments exposed and security issues unresolved. This presentation examines the attack vectors that can be exploited against WDS servers in Active Directory environments. Scenarios will include credential leakage, WinPE image extraction, and a supply chain attack, demonstrated through examples from real-world penetration tests on information systems. Practical exploitation paths, common misconfigurations, and residual artifacts left after removal of PXE components will be highlighted. Possible ways to address these risks in enterprise environments will also be discussed. tr26-cfp-401-windows-deployment-service-an-ad-blind-spot Active Directory & Entra ID Security Geoffrey Sauvageot-Berland en # Outline ## I. Introduction and Reminders ### A. Main technical terms demystified - What exactly is PXE? Spoiler it's not a protocol, but a boot mechanism built on top of DHCP and TFTP - Role of WDS in an Active Directory environment - Interaction with MDT (Microsoft Deployment Toolkit) for automated deployment workflows ### B. Origin of My Research and Where WDS Still Exists - Initially identified during real-world penetration tests, this exposure repeatedly appeared across multiple clients (including environments considered up to date). - In most cases, it was found in typical enterprise infrastructures where WDS had survived several Windows migrations, often within flat or poorly segmented networks, alongside abandoned yet still reachable servers. ### C. Why It Becomes a Problem and Why It Is Still Here in 2026 - Common misconfigurations that increase exposure across information systems - Online tutorials that explain how to use WDS and MDT, but rarely address security implications - Credentials often stored in deployment workflows to simplify administrative tasks - Implicit trust placed in the deployment infrastructure for years by sysadmins - Residual artifacts left behind after partial decommissioning of the WDS role - Migration complexity and low perceived risk among administrators: managing network-based deployments is operationally complex, and changing solutions requires extensive testing and training - Reluctance to pay for SCCM or migrate to Intune, a cloud-oriented solution ## II. Demos ### A. Reconnaissance Phase #### 1. Without Credentials - DHCP & TFTP - Simulate a PXE client using a VM or a physical machine, attempt to boot via PXE, and investigate sensitive files (credentials, etc.) exposed over the TFTP protocol (only possible if network segmentation is weak) - Obtain the PXE server address by requesting it from the DHCP server #### 2. With Active Directory Credentials - LDAP or SMB ##### LDAP Object Enumeration to Retrieve the PXE Server - Practical techniques for enumerating WDS-related objects in Active Directory (when domain-integrated) ##### SMB Enumeration - Discovery of SMB shares whose names almost never change: `REMINST\` (readable by any authenticated domain user by default, and considered normal behavior) or `DeploymentShare$\` (usually restricted to the local admin and, in practice, to domain administrators as well) - Why SMB is often more practical than TFTP from an attacker’s perspective when targeting a WDS server ### B. Exploitation - Manual #### 1. Direct Credential Extraction - Direct access to deployment configuration and automation files that may contain credentials #### 2. Offline Image Abuse - Inspection of `.wim` images when no credentials are exposed in accessible shares (focus on the WinPE image) - Local extraction and file system reconstruction for credential hunting #### 3. Supply Chain Attack - Misconfigured deployment server in production you said? Attack surface: - Misconfigured `DeploymentShare$\` with read and write access for all domain users - Ability to modify existing deployment scripts (Malicious code execution during the next deployment cycle without creating a new task sequence) ### C. Exploitation – Partially Automated - Introducing the module wds_mdt from nxc (NetExec) - Brief overview of other existing tools - Step-by-step demonstration with sequential screenshots of the attack workflow ## III. What About Detection? - Why standard EDR/XDR solutions usually do not generate alerts - Operations resemble legitimate administrative activity - Only noisy behavior, such as large SMB scans to locate the `REMINST\` share, tends to trigger detection - Logging blind spots in both Windows and network monitoring - How detection and logging can be improved, and what preventive measures can be implemented ## IV. Remediation and Defensive Guidance - Fully decommission or isolate the WDS server (if WDS is no longer used) - Clean up deployment share files, including `REMINST\` and `DeploymentShare$\` - Use a dedicated network segment for PXE traffic in any case - Deploy a dedicated DHCP server isolated from the main DHCP infrastructure - Consider migrating to MECM or third-party solutions such as Ivanti or FOG Project ## V. Takeaways - WDS remains widely overlooked in many enterprise environments, which makes it a particularly valuable Active Directory pivot point from an attacker’s perspective. - Deployment SMB shares and associated WinPE images frequently expose credentials or sensitive configuration data, even in infrastructures considered mature or up to date. - Removing the WDS role alone does not eliminate the risk. Residual deployment shares and legacy configuration artifacts must also be audited and cleaned. - Most abuse scenarios rely on legitimate protocols and expected administrative behavior. In practice, this type of activity has never triggered an EDR or XDR alert during real-world engagements. false https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/ https://cfp.troopers.de/tr26-cfp/talk/TVDCFG/feedback/ Track 2 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-24T18:15:00+02:00 18:15 00:30 As AI systems become part of critical products and workflows, they introduce a new security surface where attacks happen through language. In traditional security domains, threat hunting focuses on signals such as network ports, traffic patterns, or system activity. In AI security, the signals are different. Instead of packets and processes, defenders analyze text interactions with models to identify malicious intent. Effective threat hunting in AI systems requires more advanced tools. Signals hidden within natural language often require analyzing text using tools such as embedding models and perplexity to surface suspicious intent and anomalous behavior. In this talk we demonstrate a novel approach for conducting effective threat hunting in AI driven applications. tr26-cfp-386-from-packets-to-intent-hunting-adversaries-in-ai-telemetry Defense & Management Raz Tel-Vered en AI security changes the defender’s job, the attack surface is no longer limited to hosts, identities, and network traffic. When language becomes the interface to business logic, data access, and automated actions, malicious behavior can look like normal user interaction unless you know what to look for. This talk focuses on threat hunting in AI systems from a practical security perspective. It examines the signals defenders can use when investigating text driven attacks, including prompt structure, semantic similarity, anomalous intent, embeddings, perplexity, and suspicious workflow patterns across models, tools, and retrieval layers. The talk will also cover concrete attack scenarios such as prompt injection, abuse of agent capabilities, and attempts to extract sensitive information through model interaction. The goal is to show how defenders can move from generic AI security concerns to usable hunting methods and detection strategies that work in production environments. false https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/ https://cfp.troopers.de/tr26-cfp/talk/G8FH3R/feedback/ Track 3 Special 2026-06-24T10:30:00+02:00 10:30 00:30 Coffee Break tr26-cfp-496-coffee-break Defense & Management en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/ https://cfp.troopers.de/tr26-cfp/talk/Q8YBDC/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T11:00:00+02:00 11:00 01:00 The adoption of Post-Quantum Cryptography (PQC) is in full swing, and many cryptographic toolkits and libraries now support both pure and hybrid PQC algorithms like X25519MLKEM768. But what does it look like to integrate PQC into a global CDN infrastructure to protect a significant chunk of all internet traffic? In this talk, I will discuss the lessons from leading the PQC adoption program at Akamai and deploying quantum security at internet scale, including key exchange algorithm selection, the impact of the increased key sizes on performance and time-to-first-byte, as well as what lies beyond just the TLS key exchange bits most of us are currently focused on. tr26-cfp-341-get-in-loser-we-re-upgrading-the-internet-lessons-from-deploying-post-quantum-cryptography-across-akamai-s-global-content-delivery-network Defense & Management Jan Schaumann en NIST standardized the first post-quantum cryptography algorithms in 2024, and browsers quickly followed with the adoption of the hybrid X25519MLKEM768 TLS 1.3 key exchange. Government around the world have since laid out timelines for the adoption of quantum-safe technologies with a time horizon of 2030-2035, meaning at this point it is almost irrelevant whether or not an actual Cryptographically Relevant Quantum Computer (CRQC) will manifest before then: huge industry sectors subject to compliance requirements will need to overhaul their entire crypto stack in the next 10 years. If you have any experience working in these industries, that is not a very long time. Across the industry, several large infrastructure service providers have already moved to X25519MLKEM768. One of them is Akamai, who provide one of the world's largest content delivery networks serving a significant portion of all internet traffic for thousands of customers across all verticals. Rolling out post-quantum cryptography across Akamai's CDN was a multi-year effort that required careful balancing of customer requirements, client capabilities, collaboration within the IETF and our industry peers, and consideration of performance impact and standards compliance across multiple legs of the common TLS connections involved in a CDN. In this talk, I will discuss the lessons learned, including key exchange algorithm selection, the impact of the increased key sizes on performance and time-to-first-byte, how to get the buy-in from your executives to fund such a large program as well as how to nudge your more conservative customers and help them in the adoption. In addition, I'll give a look ahead at what's next within the industry with respect to PQC, including the many places where TLS is used outside of an HTTPS context, what the deployment of post-quantum certificates will look like, and where else in your infrastructure you need to pay attention. false https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/ https://cfp.troopers.de/tr26-cfp/talk/JZ8Z3D/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T12:00:00+02:00 12:00 01:00 This talk is about the nasty corner cases in generating an SBOM. A noble and justified demand, by both customers as well as regulators alike, but with so many more obstacles than initially expected. We were naive. We thought "how hard can it be to list all software components in a product?". With increasing regulatory demand i.e., the cyber resilience act, we would like to share some of the observations we made. Some of the challenges we encountered will seem familiar to people working on the subject, some may be completely new for you. They will cover legacy software, how naming things can be hard, technical debt, issues with the NIST CVE data enrichment (or lack thereof), and more. Spoiler: AI won't help you here. tr26-cfp-467-our-journey-from-sbom-to-assbomb Defense & Management Martin Schmiedecker en ASSBOMB is the *automotive security & software bill of material*. false https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/ https://cfp.troopers.de/tr26-cfp/talk/WZ9YRV/feedback/ Track 3 Special 2026-06-24T13:00:00+02:00 13:00 01:15 Lunch Break tr26-cfp-502-lunch-break Defense & Management en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/REMT7R/ https://cfp.troopers.de/tr26-cfp/talk/REMT7R/feedback/ Track 3 Special 2026-06-24T14:15:00+02:00 14:15 01:00 <!-- --> tr26-cfp-517-coming-soon Defense & Management en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/ https://cfp.troopers.de/tr26-cfp/talk/FNNPCB/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T15:15:00+02:00 15:15 01:00 Model Context Protocol (MCP) servers are rapidly becoming the integration layer between AI agents and real-world systems. They connect models to ticketing platforms, source control, CI/CD pipelines, internal APIs, and local files, often running with production credentials and network reach. Despite this, MCP servers are frequently deployed as “developer tooling,” bound to 0.0.0.0, and rarely threat-modeled as infrastructure. In this talk, we present offensive research into the MCP ecosystem and demonstrate how classic vulnerability classes become significantly more impactful when placed inside agent-driven automation layers. Through real-world case studies, including critical vulnerabilities affecting a widely deployed Atlassian MCP server (4M+ downloads), we show how network-reachable services can be coerced into outbound pivoting, filesystem control, and full remote code execution. tr26-cfp-373-breaking-the-control-plane-exploiting-mcp-servers-in-ai-workflows Attack & Research Yotam en This talk presents a systematic offensive analysis of open-source MCP servers and their deployment patterns. MCP servers are increasingly embedded in AI workflows to bridge agents with external systems. In practice, they: - Hold API tokens and personal access tokens - Perform outbound HTTP requests - Read and write to local filesystems - Execute privileged automation steps - Are often bound to 0.0.0.0 by default The research focuses on: - Control-plane override via header injection: Demonstrating how unvalidated service URL headers allow attackers to redirect outbound requests, bypassing intended configuration boundaries. - Chaining SSRF into filesystem primitives: Turning outbound request control into arbitrary file write capabilities under realistic deployment conditions. - Privilege amplification in agent-driven systems: How automation workflows amplify classical primitives into infrastructure-level compromise. - Middleware and dependency-layer attack surfaces: Why reviewing tool handlers is insufficient when trust boundaries are broken earlier in the request lifecycle. As a concrete example, we will present two critical CVEs we disclosed in a widely used Atlassian MCP server that enable an unauthenticated SSRF -> arbitrary file write -> RCE chain (CVE-2026-27825, CVE-2026-27826) Beyond individual bugs, we show recurring structural weaknesses across MCP servers and explain why they are likely to become attractive lateral movement and pivot targets in enterprise AI environments. false https://cfp.troopers.de/tr26-cfp/talk/F3XCER/ https://cfp.troopers.de/tr26-cfp/talk/F3XCER/feedback/ Track 3 Special 2026-06-24T16:15:00+02:00 16:15 00:30 Coffee Break tr26-cfp-495-coffee-break Defense & Management en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/ https://cfp.troopers.de/tr26-cfp/talk/F9ANPZ/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-24T16:45:00+02:00 16:45 01:00 Organizations are rolling out Copilot, custom agents, and MCP-based tool integrations. Their security teams keep doing what they've always done: decompose the system into components, assess each one, check the boxes. The problem is that agentic AI attacks don't stay inside those boxes. A retrieved document biases the planner, the planner picks the wrong tool, the tool acts on stale permissions, a second agent trusts the output without verification. We've seen this play out in real incidents: zero-click prompt injection in enterprise copilots, indirect data exfiltration through tool chains. Every component passes its security review. The attack path between them does not. This talk introduces a five-zone decomposition for agentic AI architectures: input surfaces, planning and reasoning, tool execution, memory and state, and inter-agent communication. These five zones describe where attacks enter the agent loop and how they cross trust boundaries that traditional threat models treat as separate concerns. I walk through three scenarios: RAG pipeline poisoning, tool-integration supply-chain attacks via MCP (Model Context Protocol), and multi-agent goal cascades. For each one, I show how to trace cross-zone attack paths and build attack trees that capture the propagation your current reviews miss. Each scenario maps to OWASP Top 10 for LLM and Agentic AI Applications controls with concrete mitigations. You leave with a seven-step methodology, a threat-zone mapping template, a cross-zone attack-path checklist, and worked attack trees. Artifacts your team can apply to your own agentic AI deployments the following week. tr26-cfp-451-every-component-passed-review-so-how-did-the-agent-exfiltrate-everything Defense & Management Christian Schneider en Standard security reviews look at agentic AI components one at a time. Real attacks chain across trust boundaries between retrieval, planning, tool execution, memory, and inter-agent communication. This talk presents a five-zone decomposition and a seven-step methodology for tracing cross-boundary attack chains in agentic AI systems. Three worked scenarios (RAG poisoning, MCP tool-integration supply-chain attacks, multi-agent cascades) with attack trees, mapping templates, and OWASP-aligned mitigations you can apply to your own deployments. **Key takeaways:** - A five-zone decomposition that extends existing threat modeling practice to agentic AI architectures - Worked cross-zone attack paths grounded in real-world attack patterns - A seven-step methodology and ready-to-use templates to find attack chains your current reviews miss - Agentic AI attack patterns mapped to OWASP controls with concrete mitigations **Target audience:** Security architects, blue team leads, and security managers evaluating or deploying agentic AI systems **Level:** Intermediate–Advanced false https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/ https://cfp.troopers.de/tr26-cfp/talk/CSA7WS/feedback/ Track 3 Special 2026-06-24T17:45:00+02:00 17:45 00:30 <!-- --> tr26-cfp-518-coming-soon Defense & Management en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/ https://cfp.troopers.de/tr26-cfp/talk/BFGHNM/feedback/ Track 3 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-24T18:15:00+02:00 18:15 00:30 There are many attacks, new and old, arising from the push to GenAI. In a world that encourages developers to adopt coding agents, and is shifting to AI enabled workflows, we must ask ourselves – are we handling the new security risks this introduces? Amazon Bedrock is already being utilized across the board in all stages, from the development lifecycle up to production applications, with broad permissions over AWS resources. The rapid growth of Bedrock usage reproduces common configuration patterns that lead to data leaks, destruction, and tampering. If you are interested in learning about novel attack methods against Bedrock applications across your AWS organization, this talk is for you. You will learn how common misconfigurations in Bedrock can lead to data exfiltration, lateral movement, and security control weakening in your AWS organization. Join us to hear more. tr26-cfp-430-novel-attack-techniques-targeting-the-underlying-infrastructure-of-bedrock-applications Attack & Research Maya Parizer en 1. Introduction - 4 minutes In this introduction, we will give a quick overview of Bedrock applications and how they integrate with the AWS ecosystem. In the following sections we will demonstrate novel attack techniques against Bedrock applications and describe possible mitigations. AWS Bedrock has become the go-to managed AI service for enterprises who want to use GenAI in their workflow. Bedrock's native integration with compute resources, application logic, serverless functions, and cloud storage makes it a capable platform for deploying foundation models at scale. Security research is focused almost exclusively on LLM-layer concerns like prompt injection and jailbreaks, leaving the infrastructure layer largely unexamined. We will take the audience through practical attack techniques targeting Bedrock-specific configurations and show how attackers are already exploiting the gap between "we deployed AI" and "we secured it”. 2. How companies misuse Bedrock due to misconceptions in security implementations – 1 minute Many companies use Bedrock with direct data access. Issues begin when they `carelessly` assign permissions, as permissions in Bedrock do not always act as one may think in an AWS multi-tenant environment. 3. Novel attack methods against Bedrock – 15 minutes a. Accessing production data from development accounts by abusing guardrails – Everyone uses guardrails in critical Bedrock applications. Guardrail permission policies may lead to data exfiltration and model abuse in unexpected ways when using common configurations. b. Bedrock agents can be abused as a privilege escalation method, exposing its inner workings, and silently `granting` privileges by exposing access keys and other credentials or secrets that it can access. 4. Conclusions & Takeaways – 5 minutes a. Recap of the attack techniques and mitigation methods. b. Takeaways for architects and security teams. false https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/ https://cfp.troopers.de/tr26-cfp/talk/RRYVJ3/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T10:00:00+02:00 10:00 01:00 Do you know where your children are? Are you sure? Join us as we take apart the smartwatches worn by millions of kids around the world. We'll cover everything including initial access, firmware and protocol reversing, remote child teleportation, and how to get vendors to listen to you. tr26-cfp-360-watch-your-kids-hacking-children-s-smartwatches Attack & Research Nils Rollshausen en If you're paying attention, you'll notice that more and more young children are running around with smartwatches on their wrists (perhaps yours, too?). Sold by major mobile network operators and advertised on the subway, these watches promise a safe introduction into the digital world, a step before the first smartphone with its dangerous algorithms and the wide open Internet. For kids, these watches boast fun games and colorful designs, while parents get a way to call, text, and locate their child at any time. With nothing less than their children at stake, parents rightfully worry about safety and security. The website of leading Norwegian children's watch developer Xplora is full of promises offering just that: Total safety and peace of mind, European privacy, GDPR compliance, and German datacenters far away from Big Tech. But how much are these claims really worth? We take you along the process of hacking one of the most popular children's watches out there, from gaining initial access to running our own code on the watch. Along the way, we find critical security issues at every turn. Our PoC attacks allow us to read and write messages, virtually abduct arbitrary children, and take control over any given watch. We also give you a detailed look into the vulnerability disclosure process, with many false starts, curious fixes, and tips for how to get vendors to listen. Finally, we'll look at what changed in the aftermath of our disclosure and if parents can really sleep soundly now. false https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/ https://cfp.troopers.de/tr26-cfp/talk/8MDPWZ/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T11:00:00+02:00 11:00 01:00 With 3 billion active users spanning every geography, age group, and technical sophistication level, WhatsApp carries more private human communication than any platform in history. View Once is its promise to journalists, activists, abuse survivors, and ordinary users that sensitive media will be seen once and disappear forever. We broke that promise. Four times. Over two years of research and responsible disclosure, we dismantled View Once through four successive exploits, each one forcing a deeper dive into WhatsApp's internal architecture: E2EE encryption with the Signal Protocol's Double Ratchet algorithm, multi-device support with the Sesame Algorithm, and WhatsApp's inter-device Sync protocol. We detail these exploits technically and walk through the disclosure process and its outcomes. The first three were properly fixed. WhatsApp surprisingly gave up on fixing the fourth. The talk is deeply technical, but the deepest finding is not. This inconsistency stems from a single methodological flaw: no defined security model for View Once. Without a target, every failure becomes a "best effort" shrug. We call this Cheshire Cat Security. When you don't know where you're going, any road gets you there. We close by proposing a relevant security model for View Once, articulating what we believe it should defend against, what should be explicitly scoped out, and how existing DRM technology already provides the foundation to build it right. tr26-cfp-474-whatsapp-view-once-four-exploits-and-a-funeral Attack & Research Tal Be'ery en &nbsp; false https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/ https://cfp.troopers.de/tr26-cfp/talk/UZR8NA/feedback/ Track 1 Special 2026-06-25T12:00:00+02:00 12:00 01:15 Lunch Break tr26-cfp-505-lunch-break-charity-auction Attack & Research en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/ https://cfp.troopers.de/tr26-cfp/talk/SBQMZU/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T13:15:00+02:00 13:15 01:00 This talk shows our 4-year long journey of investigating SIM-originating attacks. We discovered multiple vulnerabilities across a myriad of devices ranging from phones to car chargers. The highlighted attacks include privacy leaks, corrupted memories in basebands, lockscreen bypasses and other logic bugs allowing us to control modems in unexpected ways. Beyond these attacks, we discuss the tooling we built along the way and provide an outlook into the future research of this attack surface. tr26-cfp-469-a-sim-hacking-odyssey-can-a-sim-hack-you Attack & Research Tomasz LisowskiMarius Muench en All mobile devices connected to contemporary cellular networks must contain a SIM card, be it a removable plastic card, or an embedded SIM (eSIM). Mobile device vendors, and users of these devices, seldom question the trust put into the SIM card and the physical interface they plug into. The result is an interface with an ever-growing complexity, and an assortment of unsafe-by-design, legacy features that remained from the early-days when they may have been useful for delivering certain carrier services to under-powered “dumb” devices. In this presentation, we describe our chronological exploration of various aspects of the SIM-ME (mobile equipment) interface. While earlier work already demonstrated the potential dangers of this attack surface, we found tooling and public information on the topic to be sparse, motivating us to dive deep into the topic. To reduce the barrier of entry, we developed open-source research tooling, beginning with SIMurai. The framework combines a smart card emulation framework with a SIM emulator built on top of it, and allows us to explore the attack surface without the need of physical (research) SIMs. We integrated SIMurai with baseband firmware emulation to enable fuzz testing, which led us to the discovery of three vulnerabilities. We were also able to reimplement existing attacks such as SIMJacker-style location stealing. Extending the insights gained from emulation, we also explored the facilities available to hostile SIM applets and malicious SIM interposers. Most recently, we developed CATana to explore the RUN AT proactive command, i.e., a specification-defined feature to allow SIM cards to issue AT commands directly to the ME. An exploration of phones and IoT modems revealed that despite little legitimate use cases, running AT commands provided by the SIM is supported on various devices. To highlight the threats posed by this interface, we developed a range of attacks. To gauge how these attacks would look in production, when victim devices are connected to real cellular networks, we extend our existing frameworks with interposing capabilities. Lastly, we look into the future of SIM-originating attacks with our SIMcurity project. We actively develop new tooling, such as SIMuscope, and provide an outlook on the new research directions we want to enable. Overall, we hope to encourage members of the community to take part in exploring and securing this ubiquitous technology. false https://cfp.troopers.de/tr26-cfp/talk/QADSVY/ https://cfp.troopers.de/tr26-cfp/talk/QADSVY/feedback/ Track 1 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T14:15:00+02:00 14:15 01:00 In this talk we explore the prevalence of Vehicle-to-Everything (V2X) capabilities in modern cars, the deployment of active infrastructure components, the types of exchanged messages, and associated privacy and security concerns. We explain C-ITS standards in Europe, how to use off-the-shelf components to research protocols, present the tooling we developed and share discoveries and areas for further exploration. tr26-cfp-459-v2x-wardriving-they-drive-we-listen Attack & Research Dieter SchusterNikolai Puch en The concept of Vehicle-to-Everything (V2X) has been circulating for years. It envisioned vehicles coordinating traffic among each other, traffic lights signalling green light phases and road signs warning drivers of road works even before the driver could see them. It turns out this vision quietly turned into reality in recent years: Many newer cars now feature Cooperative Intelligent Transport Systems and Services (C-ITS), meaning they have some ability to communicate with each other (Vehicle-to-Vehicle/V2V) or with the infrastructure around them (Vehicle-to-Infrastructure). But, how many cars are actually driving (on German roads) with such features enabled? Are there already any infrastructure components deployed which communicate actively? What kind of messages are exchanged if any? Are there privacy issues? What is the potential for attacks? To answer those questions, we dived into C-ITS standards implemented in Europe and how to use off-the-shelve components to research the protocols. In this talk, we will share our learnings about the protocols, explain how to build a setup for researching V2X for Europe, present our tooling we developed, and discuss what we discovered and what remains to be explored. ## Agenda 1. Motivation - Goals of V2X and History 2. Introduction into C-ITS 1. Competing Standards 2. C-ITS Architecture 1. Roles 2. Packet Structure 3. Types of Messages 3. C-ITS Security & Privacy Considerations 3. V2X Wardriving 1. Hardware/Software Setup 1. Hardware 2. Software 1. Available Open Source Software 2. Custom C-ITS Stack with Scapy 3. Analysis 1. Map 2. Possible Identification of Vehicle Models 3. Other Observations 4. What's Next: Security Testing of C-ITS 1. Approaches for Protocol Fuzzing 2. Limitations false https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/ https://cfp.troopers.de/tr26-cfp/talk/BYWYCQ/feedback/ Track 1 Special 2026-06-25T15:15:00+02:00 15:15 00:30 Coffee Break tr26-cfp-492-coffee-break Attack & Research en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/ https://cfp.troopers.de/tr26-cfp/talk/GUKGL8/feedback/ Track 1 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-25T15:45:00+02:00 15:45 00:30 AI-powered pentesting is the latest hype. Slap an LLM agent on top of well-known offensive tools built by humans in their free time, run it in YOLO mode, and call it autonomous security testing. Valuations are going through the roof! Here is the thing though: these agents consume untrusted input from the very targets they are testing by design. Current discourse around AI agent security focuses on prompt injection through direct interaction. But what about the agent's environment itself? What happens when the attack surface the agent is exploring has been prepared by an adversary? What if the authentication service referenced in that one GitHub issue is actually a honeypot? In this presentation we will demonstrate a complete attack framework against AI pentesting agents and release it as open source. We show how to inject tracking payloads at scale into any platform with user-generated content, operate fake services that capture credentials from AI agents, and turn every future AI pentest engagement against a sprayed target into a passive credential harvesting fest. No ongoing effort required, no exploits needed. The AI leaks to us, fully automated! The attacker does not need to talk to the agent. They just leave breadcrumbs where the agent will find them during reconnaissance. A hint about a backup authentication endpoint in a GitHub issue. A debug configuration in a support ticket. SSO metadata in a user profile bio. The agent discovers these reasons they are worth investigating, and acts on them with whatever credentials and access it was given. SSO authentication is a particularly brutal example because determining if they are in-scope is difficult: When logging in, anyone must follow OAuth/OIDC redirects to external domains to test authenticated applications, and they need to be told how do distinguish a legitimate Identity Provider from a fake one we planted in user content. But SSO is just one instance of the fundamental problem: the AI makes decisions based on content it should not trust, and no amount of prompt engineering changes unless you know in advance what the target will look like. We want to shed some light on the complications that arise when putting AI literally to the test! tr26-cfp-438-counteroffensive-ai-pwning-ai-pentesters Attack & Research Markus Vervier en 1. The Promise vs. The Problem State of AI pentesting: what vendors claim, how agents actually work under the hood (LLM + tool chain + YOLO execution). Quick demo: AI agent solving a pentest challenge (GOAD cyberrange), finds file with password hint, tries credentials everywhere. Who placed that file? Core observation: agents consume untrusted input from the target and make autonomous decisions. This is the attack surface. Transition: forget prompt injection, what if the environment itself is hostile? 2. The SSO Dilemma How SSO works in 60 seconds: OAuth2/OIDC/SAML flow, redirects to external IdP, token exchange. Why AI agents MUST follow SSO redirects: cannot test authenticated apps otherwise, this is table-stakes functionality. The catch-22: agents cannot distinguish legitimate IdPs from attacker-controlled ones discovered in user content. Walk through failed mitigations: IdP allowlisting (fails for custom/internal IdPs), redirect-origin checking (fails for undocumented services), prompt engineering (agent still cannot verify domain legitimacy), human confirmation (defeats autonomy). Key insight: this is architectural. The feature is the vulnerability. No amount of guardrails fix this without removing the capability vendors are selling. 3. Attack Framework: Architecture & Components HON-AI — The Fake Identity Provider: Full OAuth2/OIDC/SAML implementation that looks and responds like real IdPs. Endpoint coverage: OIDC discovery, OAuth authorize/token/userinfo, Okta primary auth + MFA verify, SAML metadata/SSO, ADFS, Azure AD-style. Credential capture: usernames, passwords, client secrets, MFA codes, bearer tokens, full request logging. Response strategy: returns plausible errors ("password expired", "MFA required") to encourage agents to retry with different credentials or escalate. Domain generation: sso.target.com.attacker.net, target.okta.attacker.net, login.target.microsoftonline.attacker.net. UZI: The Mass Reference Injector: Automated injection of fake SSO references into user generated content: GitHub issues, forum posts, support tickets, user profile bios, wiki pages, comments. Payload templates per IdP style: OIDC discovery URLs, Okta-style auth, Azure AD, Auth0, SAML metadata, ADFS. Canary ID system: unique tracking identifiers embedded in URL paths for per-target attribution. Social engineering templates that AI agents find compelling: IT helpdesk notices, SSO migration announcements, disaster recovery documentation, staging environment references. 4. Live Demonstration: Single Target Attack Set up: target web application with injected SSO references, HON-AI fake IdP running, AI pentesting agent configured with test credentials. Show the injected payloads in context (forum post, support ticket, user profile). Launch AI pentest, observe agent discover SSO references during reconnaissance. Agent reasons about the references, decides to test authentication. Real time credential capture on HON-AI: user password, then client secret, then MFA code. Show the captured credentials, demonstrate they are real and usable. Discuss agent behavior: it tried multiple credential types across multiple fake endpoints, exactly as designed. 5. Mass Spray: Harvesting at Scale Economics of the attack: spray 10,000 targets once, harvest credentials as AI pentests happen over months. Canary-tracked URL structure: path-embedded IDs map captured credentials back to specific targets. UZI mass mode demonstration: generating and injecting payloads across many targets. HON-AI collection dashboard: credentials arriving over time, attributed to targets via canary IDs. The compounding problem: as AI pentest adoption grows, the value of pre-planted canaries increases. Canary propagation: injected references can spread through document indexing, aggregation, and AI-generated summaries. 6. Implications & The Hard Questions For AI pentest vendors: your agents may leak credentials to anyone who plants fake IdP references, malicious reverse DNS entries and other honeypot traps. This is not fixable with prompt engineering alone. Fully autonomous pentesting with SSO support needs security controls and guardrails beyond what is in place today. For enterprises using AI pentesting: use dedicated pentest-only accounts, rotate credentials immediately after engagement, audit user-generated content for planted references. For red teamers and adversaries: this is a new passive collection capability with minimal operational overhead. Broader implications for AI agents in adversarial environments: any agent that acts on discovered content in hostile environments faces the same class of problem. 7. Tool Release & Q&A Open-source release of HON-AI, UZI, and the victim-app test harness. Repository URL, documentation, and usage guidance. Responsible disclosure timeline and vendor notification summary. false https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/ https://cfp.troopers.de/tr26-cfp/talk/FB8PAJ/feedback/ Track 1 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-25T16:15:00+02:00 16:15 00:30 Apple's walled garden consists of various proprietary network protocols. One of them is Low-Latency WiFi (LLW), which enables real-time applications like Sidecar Display or Continuity Camera. This talk walks through how the internals of Low-Latency WiFi were reverse engineered. Alongside that, we publish logfuse, a toolkit combining log information from different devices into a single timeline. tr26-cfp-465-taking-a-bite-at-apple-s-network-stack-reversing-proprietary-multi-device-protocols-with-logfuse Attack & Research Henri Jäger en Reverse engineering proprietary network protocols means dealing with information scattered across log files, kernel traces, and network captures, often generated across multiple devices. Correlating events in these sources has been cumbersome and manual work, although their dependencies often make protocol analysis more conclusive. This talk presents the reverse engineering process of Low-Latency WiFi (LLW), Apple's proprietary link-layer protocol for real-time applications such as Sidecar Display and Continuity Camera, which has remained undocumented in prior reverse engineering of Apple's ecosystem. We walk through how correlating kernel traces, network captures, and system logs across iOS and macOS devices revealed LLW's internals. Alongside this, we publish logfuse, an open-source toolkit that made LLW's internals accessible by aggregating heterogeneous traces from iOS and macOS into a single clock-aligned timeline. false https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/ https://cfp.troopers.de/tr26-cfp/talk/VQRXGH/feedback/ Track 1 Special 2026-06-25T17:00:00+02:00 17:00 01:00 <!-- --> tr26-cfp-506-closing Attack & Research en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/ https://cfp.troopers.de/tr26-cfp/talk/FXFPSH/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T10:00:00+02:00 10:00 01:00 In 2019 I gave my first public conference talk here at TROOPERS, titled "I'm in your cloud", covering hybrid Active Directory and Azure AD environments. Little did I know that this would be the start of a much bigger research project that covered many more aspects of Azure AD, or Entra ID as it is called these days. Eventually this analysis of hybrid AD/Entra ID led to the discovery of Actor Tokens, and with that the only CVSS 10.0 CVE ever issued for the identity system of a major cloud provider. In this talk I will go through the history of hybrid AD/Entra ID vulnerabilities that were there since my first talk at TROOPERS and how this led to the discovery of this critical flaw. Of course we will also cover the technicalities and how the "I'm in your cloud" series concluded with being able to take over everyone's (Microsoft) cloud. tr26-cfp-405-i-minyourcloudv4final-pdf-hacking-everyone-s-cloud Dirk-jan Mollema en <!-- --> false https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/ https://cfp.troopers.de/tr26-cfp/talk/PQJWB7/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T11:00:00+02:00 11:00 01:00 Key Distribution Service (KDS) Root Keys have been an integral part of Active Directory since Windows Server 2012. These cryptographic seeds are predominantly used to generate passwords of managed service accounts (gMSA and dMSA) but are also utilized by DPAPI-NG (also known as CNG DPAPI) to encrypt sensitive information using SID Protectors. Although researchers have previously published PoC implementations of the cryptographic algorithms used with KDS Root Keys, many scenarios have not yet been covered by research and tooling. In this session, we will demonstrate online and offline attacks against virtually ALL use cases of KDS Root Keys, including: - Decryption of volumes with BitLocker SID Protector enabled. - Exporting RSA private keys from group-protected PFX files. - Extracting DNSSEC signing keys (ZSK and KSK) from Active Directory. - Revealing ASP.NET Core encrypted database connection strings. - Bulk export of LAPS and DSRM passwords from ntds.dit, LDAP, or DCSync. - Generating gMSA and dMSA passwords (Golden *MSA Attack) We will also be presenting a newly discovered universal way of attacking DPAPI-NG in Windows, which allows us to decrypt any secrets encrypted using the SID protector, without requiring to develop application-specific decryptors. tr26-cfp-350-kds-root-keys-all-secrets-finally-revealed Active Directory & Entra ID Security Michael Grafnetter en After an Active Directory domain is fully compromised, malicious actors can steal KDS Root Keys using LDAP, DCSync, or ntds.dit. These keys can then be abused to unlock secrets that often go beyond the boundaries of AD. The session will include demos of BitLocker SID protector exploitation, group‑protected PFX/RSA key export, DNSSEC ZSK/KSK extraction, ASP.NET Core database connection string recovery, bulk LAPS/DSRM password export, and gMSA/dMSA password generation. Although some of variations on these attacks are already known, there will definitely be a twist to it. false https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/ https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/feedback/ Track 2 Special 2026-06-25T12:00:00+02:00 12:00 01:15 Lunch Break tr26-cfp-504-lunch-break-charity-auction Active Directory & Entra ID Security en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/ https://cfp.troopers.de/tr26-cfp/talk/HZHMKC/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T13:15:00+02:00 13:15 01:00 Microsoft Dataverse lets you deploy custom .NET plugins that run server-side in process-isolated Windows Server containers. We deployed one. Within minutes we had SYSTEM on the box, a full LSASS dump, NTLM hashes, DPAPI master keys, a production TLS private key for Microsoft's sandbox infrastructure, internal Microsoft tenant IDs, 52 other customers' organization GUIDs, and 46 proprietary Microsoft DLLs that were never meant to leave that container. By decompiling those DLLs (nearly 14,000 C# source files), we reverse-engineered the gRPC protocol that the sandbox uses internally, discovered every method is unauthenticated, and built custom tooling to call them. That path eventually led us to explore cross-tenant code execution, though we'll be honest about what we could and couldn't prove there. This talk is about what you can pull out of a cloud sandbox when the defaults are too permissive, and how a pile of exfiltrated DLLs turned into a much bigger problem than anyone expected. tr26-cfp-444-popping-microsoft-s-sandbox-what-falls-out-of-a-dataverse-container Active Directory & Entra ID Security Simon Maxwell-Stewart en 1. The Plugin (5 min) • Quick primer on Dataverse Custom API plugins and how deployment works over the OData REST API. • Our EchoPlugin: a .NET assembly that runs commands via cmd.exe and returns output through the Dataverse API. Built and deployed using only documented platform features. • The deployment tooling we wrote (MSAL device-code auth, strong name signing, automated registration). We plan to release this. • No exploits involved. This is a standard Dataverse feature. You just need a license. 2. SYSTEM in One Command (5 min) • We land as ContainerAdministrator on Windows Server 2022 (Build 20348) with SeDebugPrivilege and SeImpersonatePrivilege. • SYSTEM via sc create with obj=LocalSystem. One command. • This sets the stage for everything that follows. We now have full access to the container's memory, filesystem, and registry. 3. What We Pulled Out (15 min) • This is the core of the talk. Once you have SYSTEM on one of these containers, the amount of sensitive material you can grab is alarming. • LSASS dump via ProcDump, which Microsoft helpfully left in the container. From that: the local Administrator NTLM hash, 28 DPAPI master keys, the boot key, LSA secrets, cached credential decryption keys. • Registry hive export (SAM, SECURITY, SYSTEM). Exfiltrated via certutil base64 encoding through the API. • Full SandboxWorker process memory dump (349 MB). Inside we found: a production RSA 2048-bit TLS private key for wus107.prd.sbx.dynamics.com (confirmed matching via OpenSSL), 52 co-located customer organization GUIDs, 4 internal Microsoft tenant IDs, cluster names and internal endpoint URIs. • Environment variables from the worker process: auth nonces, Azure app and tenant IDs, sidecar host addresses, internal service configuration. • 46 proprietary Microsoft DLLs totaling 30 MB. These include the identity model libraries (Microsoft.IdentityModel.S2S and friends), the SidecarContract library with full gRPC protobuf definitions, the SandboxWorker binary itself, and various CRM runtime components. We decompiled all of them: 13,889 C# source files. • 400 MB+ exfiltrated to our own Azure Blob Storage. Azure-to-Azure, same region, took seconds. No DLP, no alerts. 4. From DLLs to gRPC (10 min) • The SidecarContract DLLs contained the full protobuf definitions for the gRPC protocol between SandboxWorker and a host-side sidecar process. This was the key find in the DLL haul. • We built custom Go gRPC clients using those definitions to call every sidecar method. There are 20+ across 3 services. None of them require authentication. • Read methods: GetEnvironmentVariables (worker nonces, internal tenant IDs), GetWorkerAssignedMetadata (co-located org GUIDs), GetOpenIdSigningKeys (full JWKS with 5 RSA keys and cert chains), GetClusterEnvironmentSettings, GetServiceParameters. • Write methods: ReportWorkerBusy (DoS for all tenants on the container), SendCrashEvent (inject fake telemetry), SetNamingServiceProperty (modify Service Fabric naming), ProcessPortProxyRequest (create network routes to arbitrary IPs, including 169.254.169.254). • We produced an OpenAPI spec documenting 27 methods across 3 services. We'll walk through the interesting ones live. 5. Cross-Tenant Execution (7 min) • The unauthenticated sidecar, combined with org identity stored in patchable process memory, opens a path to cross-tenant code execution: steal the worker nonce, patch the org GUID in memory, send a crafted Execute request with a target org ID and your own .NET assembly. • We got context.OrganizationId to return another customer's GUID. On one container we intercepted their SDK callbacks (RetrieveMultiple for systemuser, businessunit, solution tables). • To be upfront: we proved the execution context switches, but we did not achieve full data exfiltration from a victim tenant. The bidirectional callback protocol needs more work. So this is real, and it's scary, but we're not going to oversell it. 6. What Held and What Didn't (3 min) • Credit where it's due. Microsoft blocked IMDS, filtered cross-container networking, stubbed device IOCTLs, sandboxed driver loading (returns success but never executes), no host filesystem, no Docker socket. • What failed: no auth on the sidecar, no network isolation between plugin code and infrastructure services, privileged container defaults, wide-open outbound internet, ProcDump sitting in the container, org identity in patchable memory. 7. Takeaways (5 min) • What this means if you're running Dataverse plugins or Power Platform in your environment. • The pattern here (over-privileged sandbox, unauthenticated internal services, identity in patchable memory) is not unique to Dataverse. How to audit for it in other multi-tenant platforms. • Disclosure timeline and Microsoft's response. false https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/ https://cfp.troopers.de/tr26-cfp/talk/3RETQ9/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T14:15:00+02:00 14:15 01:00 Jingle Thief is a financially motivated campaign that operated almost entirely within Microsoft 365 tenants. After credential theft via phishing and smishing, the threat actors conducted cloud reconnaissance across SharePoint and OneDrive, expanded compromise through internal phishing, manipulated mailbox rules, and established persistence via device registration and authentication method changes in Entra ID. This session analyzes Jingle Thief as a cloud identity intrusion model rather than a traditional fraud case study. We will examine how native Microsoft 365 and Entra ID functionality was abused to scale compromise, sustain long-term access, and evade detection. The talk concludes with practical detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID telemetry. tr26-cfp-348-jingle-thief-cloud-identity-tradecraft-in-microsoft-365-and-entra-id Active Directory & Entra ID Security Stav Setty en The Jingle Thief campaign represents a modern evolution in financially motivated threat activity: a cloud-first intrusion model operating almost exclusively within Microsoft 365 and Entra ID. Initial access was achieved through phishing and smishing campaigns targeting Microsoft 365 credentials. Once inside a tenant, the actors immediately shifted to cloud-based reconnaissance, mining SharePoint and OneDrive for internal documentation related to gift card issuance processes and operational workflows. Using compromised internal accounts, the actors conducted additional phishing to expand access across the organization. Mailbox rules and forwarding settings were configured to maintain operational awareness, while phishing artifacts were moved to Deleted Items to reduce visibility. Persistence was established through device registration within the tenant and modification of authentication methods in Entra ID, enabling sustained access even as credentials were reset. In one observed case, the intrusion persisted for approximately ten months and involved more than sixty compromised accounts. This talk focuses on the identity-layer mechanics of the campaign and examines: • The Microsoft 365 and Entra ID attack lifecycle observed in victim tenants • Abuse of collaboration platforms for reconnaissance and operational scaling • Mailbox rule manipulation and internal phishing tradecraft • Device registration and authentication method modification as persistence mechanisms • Investigation challenges unique to cloud-only intrusions • Detection and monitoring considerations across Exchange Online, SharePoint, OneDrive, and Entra ID logs Rather than presenting a traditional fraud narrative, this session reframes Jingle Thief as a cloud identity tradecraft model and discusses what defenders must instrument and monitor to detect similar activity. false https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/ https://cfp.troopers.de/tr26-cfp/talk/YFRZ9U/feedback/ Track 2 Special 2026-06-25T15:15:00+02:00 15:15 00:30 Coffee Break tr26-cfp-497-coffee-break Active Directory & Entra ID Security en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/ https://cfp.troopers.de/tr26-cfp/talk/YNWFTG/feedback/ Track 2 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T15:45:00+02:00 15:45 01:00 The increase in hybrid cloud adoption over the last decade has extended traditional Active Directory domain environments into the Azure (and Entra ID) cloud. During that time, penetration tests and red team assessments have also been bringing Azure tenants into engagement scopes. Less experienced testers are often finding themselves with an initial foothold in Azure, but lacking in experience on what an escalation path would look like. This talk will cover all the steps along the way from initial access through persistence. Attendees should walk away with some new techniques, along with a handful of potential escalation paths for furthering access in an Azure tenant. In addition to this, we will cover some techniques for maintaining privileged access after an initial escalation. Finally, we will be introducing a new resource for identifying attack paths for specific Azure services. tr26-cfp-387-modern-adventures-in-azure-privilege-escalation Attack & Research Karl FosaaenThomas Elling en Starting off with some basics, attendees will get a brief lesson on the fundamental concepts that support Azure tenants. Building on that foundation, we will explain what privilege escalation looks like in Azure, as compared to a traditional on-prem environment. Often in the cloud, there can be a blending of concepts that result in escalation, lateral movement, and persistence. With all of these in mind, we will then go over the escalation and lateral movement options for multiple Azure resource types. These will be focused on the permissions a user may have available, and how those permissions can be abused. We will also cover escalations from the Entra ID side and explain why that's fundamentally different from the Azure resource level escalations. Finally, we will wrap things up with a few persistence concepts in Azure and provide some resources to help with escalations. false https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/ https://cfp.troopers.de/tr26-cfp/talk/N8JZBT/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T10:00:00+02:00 10:00 01:00 VShell is a backdoor written in Golang that is shared across multiple threat actors. It is used widely by intrusion groups, particularly China-nexus actors such as UNC5174. We carried out an in-depth investigation of VShell C2 servers and found that a broad range of information can be obtained from them at scale. For example, by sending a specific magic packet to a VShell C2 server, it is possible to retrieve the raw stageless binary in unobfuscated form. This stageless binary contains hard-coded config data, including the "vkey". We performed an internet-wide scan for publicly exposed VShell C2 servers, collected stageless binaries, analysed their config data, and explored clustering and attribution. In this presentation, we first explain what kind of malware VShell is, including its relationship with SNOWLIGHT, and present the results of our detailed malware analysis together with representative cases of abuse. We then describe the structure of the VShell C2 server and show how it communicates with VShell. We also share the contents of the magic packet used to obtain the stageless binary, the results of our detailed analysis of the binary itself, the configuration data embedded in it, and the findings from our analysis of the large volume of config data we collected. In addition, we present deeper analytical results based on information obtained from C2 servers that were operated with default settings. Finally, we propose detection logic for network and endpoint security products to help defend against compromises involving VShell. This logic reflects the detailed internal behaviour of VShell C2 infrastructure revealed by our research. Through this talk, attendees will gain a detailed understanding of VShell’s capabilities and the characteristics of its C2 servers. They will also learn a research method for uncovering new information useful for attribution. In addition, these findings can be applied directly to defensive practice, including the development of more effective detection logic. tr26-cfp-428-unshelling-vshell-at-scale Defense & Management Kazuya NomuraRintaro Koike en At the start of the talk, we outline what kind of malware VShell is. VShell is a backdoor written in Golang. It was at one point publicly available on GitHub, which helped it become a shared tool used by a wide range of attackers. It is particularly favoured by China-nexus threat groups. We also briefly introduce the groups known to use VShell and present representative examples of their attack workflows. In particular, we focus on recent cases involving UNC5174 and UNC6586. We then examine the VShell C2 server. We obtained the VShell builder and C2 server binaries and conducted a detailed analysis. Using concrete examples from our data, we explain how VShell payloads are generated by the builder and how they communicate with the C2 server. This gives the audience an accurate view of how VShell operates. Our investigation of VShell C2 servers also revealed previously unknown findings. For example, when a specific magic packet is sent to a VShell C2 server, it is possible to retrieve a stageless VShell binary. This stageless binary contains config data, including the "vkey", and that data is not obfuscated, making it straightforward to extract. We used this behaviour to scan the internet at scale, identify VShell C2 servers, retrieve stageless binaries from them, and extract a large volume of config data. Based on the collected config data, we performed clustering and attribution analysis of threat actors using VShell, and we present the results. Some of the stageless binaries we collected had characteristics that differed from the commonly available VShell. We will also show these differences. In addition, C2 servers running with default settings can expose even more information. This includes data on victim hosts connected to the server. We analysed these data and carried out further in-depth research. We also present the results of that analysis. Finally, we discuss defensive measures for protecting organisations against VShell-related attacks. Based on our detailed analysis of these C2 servers, we developed improved detection logic that goes beyond what has previously been available. We present detection logic designed for both network security products and endpoint security products. Through this talk, the audience will gain a detailed understanding of VShell's capabilities and the characteristics of its C2 servers. They will also learn research methods for uncovering new information that supports attribution. In addition, they will see how these research findings can be applied in practice, including the development of more effective detection logic and other concrete defensive measures. false https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/ https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T11:00:00+02:00 11:00 01:00 We created "Living Off The Pipeline" (LOLBAS for CI/CD) and a 0-day vuln scanner, then we saw Threat Actors on BreachForums were paying attention. Enter the "Metasploit for CI/CD." In this live kill-chain, we exploit "pwn requests" to pivot from a public GitHub repo to private repos. We show how anonymous users gain "insider" privileges to exfiltrate secrets, poison releases, and escalate to Cloud Admin. tr26-cfp-291-living-off-the-pipeline-defensive-research-weaponized Attack & Research François Proulx en For years, our research team wrote the defensive manuals. We built the "Living Off The Pipeline" (LOTP) inventory and released `poutine` (our open-source vulnerability scanner) to help defenders find the holes. But we have bad news: Threat Actors were taking notes. In early 2025, we found the "smoking gun" on BreachForums: a full attack plan for a 0-day compromise giving a direct shout-out to our defensive research as the source. Our work had become their offensive playbook. In this talk, we stop playing defense. We introduce **SmokedMeat**, the "Metasploit for CI/CD." Our research shows that 2025's Build Pipelines look like the average 2005 PHP Web App in terms of secure coding, wide open to "pwn requests" and command injections. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you. We will demonstrate a full exploitation chain: 1. **Reconnaissance:** Pivoting from unprivileged anonymous access on public repositories using `poutine` to find the weak spots. 2. **Exploitation:** Stealing private repository secrets and intellectual property via automated "pwn requests". 3. **Persistence:** The "gone in 60 seconds" jump from an ephemeral workflow runner directly to permanent Cloud Admin, implanting backdoors on build infrastructure. The era of simple "awareness" is over. This talk demonstrates why your current CI/CD security strategy is already obsolete. false https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/ https://cfp.troopers.de/tr26-cfp/talk/UR9JPA/feedback/ Track 3 Special 2026-06-25T12:00:00+02:00 12:00 01:15 Lunch Break tr26-cfp-501-lunch-break-charity-auction Defense & Management en Lunch Break false https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/ https://cfp.troopers.de/tr26-cfp/talk/9SH8LT/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T13:15:00+02:00 13:15 01:00 Active Directory reconnaissance tools like BloodHound, Impacket, and SOAPHound are the attacker's first move in enterprise compromises, yet detecting their LDAP queries remains one of the hardest problems in security operations. This talk chronicles a six month journey from writing my first broken Sigma rule to building a complete, evasion resistant LDAP detection stack. You'll learn why traditional signature based detection fails spectacularly, how to think like both an attacker and a parser, and how mathematical approaches can outsmart evasion techniques. We'll cover OID transformations that break your rules, whitespace variations that mock your regex, hidden LDAP parameters that bypass your detections, and ultimately, statistical methods that make evasion mathematically impossible. This isn't theory. Every technique is battle tested in production environments with working Sigma rules, real attack logs, and actual false positive rates. Leave with detection rules and techniques you can deploy Monday morning. tr26-cfp-447-from-code-to-coverage-a-detection-engineer-s-journey-through-the-ldap-wilderness Defense & Management Andrew S. en BloodHound, Impacket, SOAPHound. Every red teamer's starting point, every blue teamer's blind spot. LDAP reconnaissance is how attackers learn your environment before you know they're there, and most detections for it are embarrassingly easy to bypass. This talk started as a failure. A Sigma rule that looked right, passed review, and caught nothing in production. Six months later, it turned into a complete LDAP detection stack that's caught tools the vendor community hadn't even documented yet. We'll get into the specific mechanics of why detections break. OID transformations that silently invalidate your rules, whitespace variations that make regex useless, SDFlags queries that walk straight past ACL monitoring. Then we'll flip the problem. Instead of chasing attacker syntax, we'll use Event 1644's performance fields to detect enumeration behavior statistically, something no amount of query obfuscation can hide. We'll also cover ADWS correlation for catching PowerShell-based recon that never touches LDAP at all. Everything here is running in production. You'll get real false positive rates, real tuning decisions, and Sigma rules and detection techniques you can actually use. false https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/ https://cfp.troopers.de/tr26-cfp/talk/TPGLJU/feedback/ Track 3 Talk (50 minutes talk / 10 minutes Q&A) 2026-06-25T14:15:00+02:00 14:15 01:00 Backup and restore have always been fundamental principles of IT, yet in Microsoft Entra ID they are often misunderstood, underestimated, or simply ignored. What happens when a Conditional Access policy is modified and you suddenly need last week’s configuration? What can actually be restored in Entra ID and what is permanently lost? In this session, we dive into deletion and recovery behavior across different Entra resource types, from identities and groups to Conditional Access policies and tenant-wide configurations. We separate myths from reality and clarify where restoration is technically possible and where it simply isn’t. A key focus is on recent changes and new capabilities in Entra ID, including improvements around deletion and recovery as well as the Unified Tenant Configuration Management (UTCM) capability introduced in early 2026. We explore how UTCM enables administrators to track, compare, and safeguard tenant-wide configurations shifting the approach from reactive recovery to proactive control. The goal is simple: to replace assumptions with facts and help you build a realistic protection strategy for your Entra ID environment without relying solely on third-party backup solutions. tr26-cfp-427-delete-is-easy-recovery-is-not-the-reality-of-entra-id-backup-restore Active Directory & Entra ID Security Klaus Bierschenk en This session is aimed at identity and security professionals working with Microsoft Entra ID who want to understand the real limitations of backup and recovery in cloud identity environments. Attendees will gain a clear understanding of how deletion and recovery behave across different Entra resource types, including users, groups, Conditional Access policies, and tenant-wide configurations. The session highlights where recovery is possible, where it is limited, and where it is not available at all. In addition, we explore recent platform changes and new capabilities such as Unified Tenant Configuration Management (UTCM), and how these features shift the focus from reactive recovery to proactive configuration governance. The session combines architectural insights with practical examples and multiple live demonstrations, showing real-world behavior directly in Entra ID. Attendees will see how changes, deletions, and recovery scenarios actually behave in practice, rather than relying on documentation alone. Attendees will leave with a realistic understanding of Entra ID protection strategies and actionable guidance for improving resilience without relying solely on third-party backup solutions. false https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/ https://cfp.troopers.de/tr26-cfp/talk/BGTTKQ/feedback/ Track 3 Special 2026-06-25T15:15:00+02:00 15:15 00:30 Coffee Break tr26-cfp-494-coffee-break Defense & Management en Coffee Break false https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/ https://cfp.troopers.de/tr26-cfp/talk/3UUGNV/feedback/ Track 3 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-25T15:45:00+02:00 15:45 00:30 Due to the increasing number and impact of computer security incidents, it has become essential to develop and implement efficient measures for their investigation. However, comprehensive forensic analyses are time-consuming, and this time is often not available to security analysts during acute computer security incidents. As a result, automated tools are increasingly being used. These tools, however, often cover only a limited scope of the necessary analyses and typically require deep technical expertise to be used effectively. For this reasons, we developed a framework that enables the automated analysis of disk images in the context of security incidents and is capable of identifying whether a system has been compromised. The framework orchestrates multiple established digital forensics and incident analysis tools through a decision-tree-based control logic. This decision tree governs the execution flow of integrated modules, each representing a distinct analytical domain (e.g., file system analysis, artifact extraction, event log inspection). A live demonstration illustrates how analysts interact with the system, which external analysis tools are integrated, and how the framework consolidates results into a structured, analyst-oriented report. The framework was evaluated using both compromised and non-compromised disk images derived from real-world and synthetic computer security incidents. The evaluation assesses detection capabilities, practical benefits for analysts, and current limitations. tr26-cfp-353-integrating-incident-analysis-and-digital-forensics-tooling-for-automated-compromise-detection Defense & Management Ann-Marie Belz en This talk addresses the growing need for efficient incident analysis in response to the increasing number and impact of computer security incidents. While automation is essential to reduce investigation time, existing tools in digital forensics and incident analysis often operate in isolation and lack comprehensive orchestration. We present a modular framework that integrates established forensic and analysis tools using a decision-tree-based control mechanism. The talk includes a live demonstration of the framework, an overview of its architecture, and an explanation of how it detects compromised disk images. Finally, we discuss current limitations and outline future extensions of the framework. false https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/ https://cfp.troopers.de/tr26-cfp/talk/M7QTN7/feedback/ Track 3 Lightning Talk (20 minutes talk / 10 minutes Q&A) 2026-06-25T16:15:00+02:00 16:15 00:30 Edge devices sit on the Internet-facing border of every organisation, silently bridging trust zones while running full Linux distributions that rarely see a reboot, let alone a patch. Because they are “just network kit,” they are exempted from EDR, and excluded from MDM, making them the perfect beachhead for an attacker who wants to pivot into a company's network without triggering a single alert. tr26-cfp-296-the-edge-of-tomorrow-today-s-devices-tomorrow-s-incidents Defense & Management Mathieu LE CLEACHMael Pignol en This talk will examine various aspects of edge-device compromises. We will share real-world findings and experiences from responding to an edge-device compromise, highlighting the challenges, lessons learned, and best practices for forensic analysis and incident response. We will also explore detection opportunities and recommendations for improving monitoring and response capabilities. Attendees will leave with actionable incident-response tactics and detection-engineering clues for spotting and stopping similar intrusions. true https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/ https://cfp.troopers.de/tr26-cfp/talk/ZJPKLN/feedback/