Trusted by Design: How Windows Uses TPM to Secure PRTs -- TechMentor

Red Team Tactics and Techniques

CW09 Trusted by Design: How Windows Uses TPM to Secure PRTs

August 5th, 2026

9:30am - 10:45am

Level: Intermediate Advanced

Nestori Syynimaa

Principal Identity Security Researcher

Microsoft

According to the Microsoft Digital Defense Report 2025, more than 97% of identity-related attacks are password spray or brute force attacks. The majority of these attacks are not successful, as many organizations are enforcing multi-factor authentication (MFA). From the remaining three per cent, over 2.4% are token theft attacks by malware.

The number of token theft attacks has risen over the past few years, as stolen tokens give instant access to organizational resources. Depending on the stolen token, the access can be temporary or persistent. The most powerful token to steal is the Primary Refresh Token (PRT), which, along with the session key (SK), allows a threat actor to impersonate both the user and the endpoint from which the PRT was stolen.

The endpoints that are not using a Trusted Platform Module (TPM) and steal PRT and SK are trivial if the threat actor can obtain administrator permissions. TPM is mandatory for Windows 11 devices, but many Windows 10 devices and Windows servers still don’t use TPM.

But how does TPM really work? During this session, you will learn how TPM protects device identity and SK to prevent PRT theft. For red teamers, you’ll learn how to study the details of TPM and PRT implementation. For blue teamers, you’ll learn how to detect PRT theft – both successes and failures.

You will learn:

Device identities explained
How threat actors are stealing tokens
Technical details on how TPM protects against PRT theft