Recap YellowHat - Cyber Security Event 2025

calendarMar 6, 2025 · 3 min read · Security Copilot AI Yellowhat Defender Sentinel OAuth  ·
Share on: linkedincopy

Recap YellowHat - Bringing Security Experts together

Introduction

Last week, I had the pleasure, to be part of YellowHat event together with colleques, organized at the Microsoft head office. Yellowhat is a cybersecurity conference held in Schiphol, Netherlands, focusing on Microsoft Security solutions, particularly Microsoft Defender. The event features deep-dive technical sessions presented by industry experts. The conference took place on March 6, 2025, and was livestreamed (1500+ attendees) globally from Schiphol, with an in-person audience of approximately 120+ attendees

Warm Welcome

At the entrance you are welcomed with a nice swags "yellow helmet" (with a fighting cat) and a "t-shirt" getting into the spirit of the sessions. Introduced by Dan Michelson, the founder of YellowHat together with Maarten Goet. Dan explained the purpose: "At Yellowhat, they go beyond the basics, delivering deep-dive sessions (level 400+) designed for security professionals who seek advanced knowledge and actionable insights. The mission is to empower attendees with the latest expertise in Microsoft Security solutions, enabling them to tackle today’s most pressing cybersecurity challenges with confidence. Whether you’re exploring the intricacies of Microsoft Sentinel, mastering advanced configurations in Microsoft Defender, or diving into the latest innovations in Microsoft Purview, Yellowhat provides a platform to learn, connect, and grow".

Sessions

A glance of the sessions which where there:

  • Keynote with Dan Michelson - Origin YellowHat and the main purpose! Which was kicked of with an Interview with Koos Goossens explaining how the idea was born, and why the YellowHat;
  • Blueprint for a Modern Defender strategy told by Raviv Tamir; Explaining the roadmap towards a modern SOC and what Microsoft is working on looking into the future.
  • Mastering Microsoft Defender XDR Configuration told by Mattias Borg and Stefan Schörling; Explaining the do's and don'ts with the differen configuration best practices.
  • Hunt the Tokens - Uncovering Post-Authentication Attacks Accross Your Environment told by Thomas Naunheim; Deepdive session with highly skilled expertise and KQL queries (this github page) to hunt for OAuth tokens and detect anomalies.
  • Navigating the Evolving OAuth Attacks Landscape told by Ran Marom; Explaining the purpose of Defender for Cloud Apps protecting your SAAS applications.
  • Enchanced protection through advances in Automatic Attack Disruption told by Eyal Haik; Explaining the attack factors and how to mitigate them.
  • Windows Hello abuse - the sequel told by Dirk-jan Mollema; Deepdive session how to bypass passwordless authentication by intercepting PRT’s when Windows Hello is used over RDP towards a non-TPM device.
  • Defining agentic Workflows for Security told by Roberto Rodriguez;
  • Speaker Q & A - ask us anything.

Roundup

It was a great evening and always fun to see friends and meet new people! Looking forward to the next! Hope to see you there.

Till next time!