Dr Nestori Syynimaa
Dr Nestori Syynimaa is a Principal Identity Security Researcher at Microsoft Threat Intelligence Center He has over a decade of experience with the security of Microsoft cloud services and is known as the creator of the AADInternals toolkit. Before joining Microsoft in early 2024, Dr Syynimaa worked as a researcher, CIO, consultant, trainer, and university lecturer for over 20 years.
Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom, TROOPERS, BSides, Black Hat USA, Europe, and Asia, Def Con, and RSA Conference.
Session
Identity-related attacks remain a critical threat, with over 97% involving password spraying or brute force attempts. While multi-factor authentication (MFA) mitigates most of these, the remaining incidents—predominantly token theft via malware—account for more than 2.4% and are on the rise. Stolen tokens enable immediate, potentially persistent access to organisational resources. The Primary Refresh Token (PRT) combined with the Session Key (SK) allows impersonation of both users and endpoints.
Endpoints lacking a Trusted Platform Module (TPM) are particularly vulnerable, as administrator privileges can facilitate trivial PRT and SK theft. Although TPM is required for Windows 11, many Windows 10 devices and servers remain unprotected.
This session explores the mechanics of TPM in safeguarding device identity and SK. Red Teamers will gain insights into dissecting TPM and PRT implementations for offensive strategies, while Blue Teamers will learn techniques to detect both successful and attempted PRT thefts.