Make the world a safer place Menu

Talk

Trusted by Design: How Windows Uses TPM to Secure PRTs

Identity-related attacks remain a critical threat, with over 97% involving password spraying or brute force attempts. While multi-factor authentication (MFA) mitigates most of these, the remaining incidents—predominantly token theft via malware—account for more than 2.4% and are on the rise. Stolen tokens enable immediate, potentially persistent access to organisational resources. The Primary Refresh Token (PRT) combined with the Session Key (SK) allows impersonation of both users and endpoints.

Endpoints lacking a Trusted Platform Module (TPM) are particularly vulnerable, as administrator privileges can facilitate trivial PRT and SK theft. Although TPM is required for Windows 11, many Windows 10 devices and servers remain unprotected.

This session explores the mechanics of TPM in safeguarding device identity and SK. Red Teamers will gain insights into dissecting TPM and PRT implementations for offensive strategies, while Blue Teamers will learn techniques to detect both successful and attempted PRT thefts.

According to the Microsoft Digital Defence Report 2025, more than 97% of identity-related attacks are password spray or brute force attacks. The majority of these attacks are not successful, as many organisations are enforcing multi-factor authentication (MFA). From the remaining three per cent, over 2.4% are token theft attacks by malware.

The number of token theft attacks has risen over the past few years, as stolen tokens give instant access to organisational resources. Depending on the stolen token, the access can be temporary or persistent. The most powerful token to steal is the Primary Refresh Token (PRT), which, along with the session key (SK), allows a threat actor to impersonate both the user and the endpoint from which the PRT was stolen.

The endpoints that are not using a Trusted Platform Module (TPM) and steal PRT and SK are trivial if the threat actor can obtain administrator permissions. TPM is mandatory for Windows 11 devices, but many Windows 10 devices and Windows servers still don’t use TPM.

But how does TPM really work? During this session, you will learn how TPM protects device identity and SK to prevent PRT theft. For rRed Teamers, you’ll learn how to study the details of TPM and PRT implementation. For Blue Teamers, you’ll learn how to detect PRT theft – both successes and failures.

About the Speaker