DSInternalsVideos
-
Okta For Good and Bad – Hybrid Attack Paths Crossing Okta Organizations
Recording of my SO-CON 2026 talk, co-presented with Lance Cain:
Security specialists and end users appreciate the convenience of single sign-on (SSO) technologies like Okta. Unfortunately, attackers do too. We will explore how compromised human or machine identities can lead to hybrid attack paths that begin in Active Directory, move through Okta, and reach critical assets such as Git repositories, CI/CD pipelines, cloud storage, or enterprise password managers. We will also demonstrate how adversaries can deliver payloads to macOS devices by leveraging Okta and third-party MDMs.
-
A Look Inside a Pass-the-PRT Attack
Like an NT hash (AKA NTLM hash AKA MD4 hash) and a Kerberos ticket, a Primary Refresh Token (PRT) can be passed in an attack. Mimikatz author Benjamin Delpy and Dirk-jan Mollema have both released detailed research and code showing how attackers could Pass-the-PRT to perform the lateral movement to the cloud.
I have recorded a short demo of the Pass-the-PRT Attack:
-
Exploiting Windows Hello for Business
Here is the recording of my Black Hat Europe 2019 Briefings session about Exploiting Windows Hello for Business:
-
Offline Attacks on Active Directory