BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//ZPYYRD BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-tr26-cfp-FPKKRA@cfp.troopers.de DTSTART;TZID=CET:20260625T110000 DTEND;TZID=CET:20260625T120000 DESCRIPTION:Key Distribution Service (KDS) Root Keys have been an integral part of Active Directory since Windows Server 2012. These cryptographic se eds are predominantly used to generate passwords of managed service accoun ts (gMSA and dMSA) but are also utilized by DPAPI-NG (also known as CNG DP API) to encrypt sensitive information using SID Protectors. Although resea rchers have previously published PoC implementations of the cryptographic algorithms used with KDS Root Keys\, many scenarios have not yet been cove red by research and tooling.\n\nIn this session\, we will demonstrate onli ne and offline attacks against virtually ALL use cases of KDS Root Keys\, including:\n\n- Decryption of volumes with BitLocker SID Protector enabled .\n- Exporting RSA private keys from group-protected PFX files.\n- Extract ing DNSSEC signing keys (ZSK and KSK) from Active Directory.\n- Revealing ASP.NET Core encrypted database connection strings.\n- Bulk export of LAPS and DSRM passwords from ntds.dit\, LDAP\, or DCSync.\n- Generating gMSA a nd dMSA passwords (Golden *MSA Attack)\n\nWe will also be presenting a new ly discovered universal way of attacking DPAPI-NG in Windows\,\nwhich allo ws us to decrypt any secrets encrypted using the SID protector\, without r equiring to develop application-specific decryptors. DTSTAMP:20260510T025658Z LOCATION:Track 2 SUMMARY:KDS Root Keys: All Secrets Finally Revealed - Michael Grafnetter URL:https://cfp.troopers.de/tr26-cfp/talk/FPKKRA/ END:VEVENT END:VCALENDAR