HIP Conf 26 – Nashville

After presenting my novel research on KDS Root Keys to the European audience at TROOPERS26 in Heidelberg, I am thrilled to get the opportunity to share it with the US audience in vibrant Nashville. I will be speaking at the Hybrid Identity Protection Conference 26 in Nashville, Tennessee, on September 8–10, 2026. My session, KDS Root Keys and Where to Find Them, is scheduled for Wednesday, September 9 at 11:15 AM in the Identity Security Research track.

KDS Root Keys are the cryptographic seeds that Active Directory uses to derive gMSA and dMSA passwords, encrypt Windows LAPS secrets, and power DPAPI-NG SID protectors. Stealing them unlocks far more than just a single account. The session will cover online and offline attacks against virtually every use case of KDS Root Keys, including:

  • Decryption of volumes with BitLocker SID Protector enabled.
  • Exporting RSA private keys from group-protected PFX files.
  • Extracting DNSSEC signing keys (ZSK and KSK) from Active Directory.
  • Recovering ASP.NET Core database connection strings.
  • Bulk export of Windows LAPS and DSRM passwords.
  • Generation of gMSA and dMSA passwords offline.

I will also reveal a newly discovered universal attack against DPAPI-NG SID protectors, allowing any application-encrypted secret to be unlocked without application-specific decryptors.

See you in Nashville!