I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8
Sean Metcalf
Author's posts
Oct 10 2018
Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest
At DerbyCon 8 (2018) over the weekend Will Schroeder (@Harmj0y), Lee Christensen (@Tifkin_), & Matt Nelson (@enigma0x3), spoke about the unintended risks of trusting AD. They cover a number of interesting persistence and privilege escalation methods, though one in particular caught my eye. Overview Lee figured out and presents a scenario where there’s an account …
Aug 12 2018
Black Hat & DEF CON Presentation Slides Posted
I just uploaded the slides from my Black Hat & DEF CON talks from the past week in Vegas. They are a bit different with the BH talk more Blue (defensive) and the DC talk mostly Red (Offensive) in focus. Also note that the only real overlap in content is the MFA & password vault …
May 20 2018
NolaCon (2018) Active Directory Security Talk Slides Posted
I recently presented my talk “Active Directory Security: The Journey” at Nolacon in New Orleans, LA. Slides are now posted here. On Sunday, May 19th, 2018, I spoke at NolaCon at 11am. Here’s the talk description: Active Directory is only the beginning. Attackers have set their sights squarely on Active Directory when targeting a company, though …
Jan 01 2018
Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory
I have been fascinated with Read-Only Domain Controllers (RODCs) since RODC was released as a new DC promotion option with Windows Server 2008. Microsoft customers wanted a DC that wasn’t really a DC. – something that could be deployed in a location that’s not physically secure and still be able to authenticate users. This post …
Nov 24 2017
Securing Microsoft Active Directory Federation Server (ADFS)
Many organizations are moving to the cloud and this often requires some level of federation. Federation, put simply, extends authentication from one system (or organization) to another. Gerald Steere (@Darkpawh) and I spoke about cloud security at DEF CON in July 2017. Presentation slides and video are here: “Hacking the Cloud” One of the key …
Aug 11 2017
Gathering AD Data with the Active Directory PowerShell Module
Microsoft provided several Active Directory PowerShell cmdlets with Windows Server 2008 R2 (and newer) which greatly simplify tasks which previously required putting together lengthy lines of code involving ADSI. On a Windows client, install the Remote Sever Administration Tools (RSAT) and ensure the Active Directory PowerShell module is installed. On a Windows server (2008 R2 …
Aug 10 2017
Beyond Domain Admins – Domain Controller & AD Administration
Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active …
Jun 14 2017
Scanning for Active Directory Privileges & Privileged Accounts
Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team …
May 30 2017
AD Reading: Windows Server 2016 Active Directory Features
The following are useful resources for Windows Server 2016 Active Directory Features. Windows 2016 Features What’s New in Windows 2016 Active Directory Windows Server 2016 AD Functional Level Privileged Access Management (PAM) Windows 2016 PAM Shadow Security Principals (temporary group membership) Azure AD Join Windows 2016 Azure AD Join Microsoft Hello …
Recent Comments