In this session, they will talk about the PRT internals, their protection on MacOS, and even on how you can combine this knowledge with regular PRTs for extra persistence in the environment. During their research they found the implementation on macOS is very different than on Windows and even varies per Microsoft application. This research led to uncover an undocumented API that allows to request a deviceless PRT via a newer version of the protocol. This API also allows a workflow that enables you to recant a device claim or generate a new PRT without one based on an SSO-flow. With this new token you can then register our own device in AAD and thereby bypass most conditional access policies.
The talk will show this in a live or recorded demo and feature a release of the updated ROADtools, created and maintained by Dirk-jan, that allows the use of these API calls. After demonstrating the attack, Olaf and Dirk-jan will also show some detection opportunities.
More information: https://troopers.de/troopers24/talks/3vlccy/
Get educated
Other events
SO CON 2024
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Experts Live 2024
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Black Hat EU 2023
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Together. Secure. Today.
Stay in the loop and sign up to our newsletter
FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.
Energieweg 3
3542 DZ Utrecht
The Netherlands
FalconForce B.V.
[email protected]
(+31) 85 044 93 34
KVK 76682307
BTW NL860745314B01