Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

Aug 01 2019

AD Reading: Windows Server 2019 Active Directory Features

By Sean Metcalf in Technical Reference

Windows Server 2019 has several new features, though nothing in this list is related to AD. Note that there is no Windows Server 2019 AD Forest/Domain Functional Level. There are no new features for Active Directory in Windows Server 2019 except one performance update which doesn’t affect most deployments. This update is related to an …

Mar 21 2019

There’s Something About Service Accounts

By Sean Metcalf in Technical Reference

Service accounts are that gray area between regular user accounts and admin accounts that are often highly privileged. They are almost always over-privileged due to documented vendor requirements or because of operational challenges (“just make it work”). We can discover service accounts by looking for user accounts with Kerberos Service Principal Names (SPNs) which I …

Active Directory, AD Security, AGPM, Altiris, CommVault, Domain Admins, Imanami, Insight, Nessus, Service Accounts, ServiceNow, SPN, SQL, Vcenter, VMWare, VPN, VulScan

Feb 12 2019

Mitigating Exchange Permission Paths to Domain Admins in Active Directory

By Sean Metcalf in Technical Reference

This article is a cross-post from TrimarcSecurity.comOriginal article: https://www.trimarcsecurity.com/single-post/2019/02/12/Mitigating-Exchange-Permission-Paths-to-Domain-Admins-in-Active-Directory The Issue Recently a blog post was published by Dirk-jan Mollema titled “Abusing Exchange: One API call away from Domain Admin ” (https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)which highlighted several issues with Exchange permissions and a chained attack which would likely result in a regular user with a mailbox being able to …

Active Directory Security, Domain permissions, Exchange custom RBAC, Exchange NTLM Relay, Exchange permissions, Exchange split permission model, Exchange Trusted Subsystem, Exchange Windows Permission, GenericAll, Organization Management

Oct 11 2018

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

It’s been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as SYSTEM on a Domain Controller provided the account is a member of DNSAdmins. I finally got around to posting here since many I speak with aren’t aware of this issue. Shay describes this …

Active Directory, DNS server object permission, DNSAdmins, DnsPluginCleanup, DnsPluginInitialize, DnsPluginQuery, Domain Controller, from DNSAdmin to Domain Admin, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll, mimikatz dll, run DLL on Domain Controller, ServerLevelPluginDll, UUID is 50ABC2A4–574D-40B3–9D66-EE4FD5FBA076, \PIPE\DNSSERVER

Oct 10 2018

Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

By Sean Metcalf in ActiveDirectorySecurity, Exploit, Hacking, Microsoft Security, Security Conference Presentation/Video

At DerbyCon 8 (2018) over the weekend Will Schroeder (@Harmj0y), Lee Christensen (@Tifkin_), & Matt Nelson (@enigma0x3), spoke about the unintended risks of trusting AD. They cover a number of interesting persistence and privilege escalation methods, though one in particular caught my eye. Overview Lee figured out and presents a scenario where there’s an account …

AD credential theft, constrained delegation, DCSync, delegation, DoD STIG, Domain Controller Spooler, Kerberos, Kerberos attack, Kerberos Delegation, Kerberos unconstrained delegation, MS-RPRN, Print Spooler, RpcRemoteFindFirstPrinterChangeNotification, Spooler, Spooler Service

Aug 12 2018

Black Hat & DEF CON Presentation Slides Posted

By Sean Metcalf in Security Conference Presentation/Video, Vulnerability

I just uploaded the slides from my Black Hat & DEF CON talks from the past week in Vegas. They are a bit different with the BH talk more Blue (defensive) and the DC talk mostly Red (Offensive) in focus. Also note that the only real overlap in content is the MFA & password vault …

May 20 2018

NolaCon (2018) Active Directory Security Talk Slides Posted

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video

I recently presented my talk “Active Directory Security: The Journey” at Nolacon in New Orleans, LA. Slides are now posted here. On Sunday, May 19th, 2018, I spoke at NolaCon at 11am. Here’s the talk description: Active Directory is only the beginning. Attackers have set their sights squarely on Active Directory when targeting a company, though …

Jan 01 2018

Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security

I have been fascinated with Read-Only Domain Controllers (RODCs) since RODC was released as a new DC promotion option with Windows Server 2008. Microsoft customers wanted a DC that wasn’t really a DC. – something that could be deployed in a location that’s not physically secure and still be able to authenticate users. This post …

Allowed RODC Password Replication Policy, DCSync, Denied RODC Password Replication Policy, Directory Services Restore Mode password, discovering RODCs, Domain Controller, DSRM, golden ticket, Hacking RODCs, harden Read-Only Domain Controllers, harden RODCs, Invoke-Mimikatz, KRBTGT, KRBTGT_######, mimikatz, msDS-AuthenticatedToAccountList, msDS-KeyVersionNumber, msDS-NeverRevealGroup, msDS-Reveal-OnDemandGroup, msDS-RevealedList, Read-Only Domain Controller, ReadOnly Domain Controller, RODC, RODC Active Directory, RODC Administration, RODC administrators, RODC backlink, RODC golden ticket, RODC in the DMZ, RODC Krbtgt, RODC ManagedBy attribute, RODC Manager, RODC password, RODC Password Replication Policy, RODC replication, RODC security, RODC SYSVOL, Silver Tickets

Nov 24 2017

Securing Microsoft Active Directory Federation Server (ADFS)

By Sean Metcalf in Cloud Security, Microsoft Security, Security Recommendation, Technical Reading, Technical Reference

Many organizations are moving to the cloud and this often requires some level of federation. Federation, put simply, extends authentication from one system (or organization) to another. Gerald Steere (@Darkpawh) and I spoke about cloud security at DEF CON in July 2017. Presentation slides and video are here: “Hacking the Cloud” One of the key …

ADFS certificates, ADFS Recommendations, ADFS Security, ADFS Security Best Practices, GoldenSAML, GoldenSAML Detection, GoldenSAML protection, Microsoft Active Directory Federation Servers, Protecting ADFS, Securing ADFS

Aug 11 2017

Gathering AD Data with the Active Directory PowerShell Module

By Sean Metcalf in PowerShell, Technical Reference

Microsoft provided several Active Directory PowerShell cmdlets with Windows Server 2008 R2 (and newer) which greatly simplify tasks which previously required putting together lengthy lines of code involving ADSI. On a Windows client, install the Remote Sever Administration Tools (RSAT) and ensure the Active Directory PowerShell module is installed. On a Windows server (2008 R2 …

Active Directory PowerShell Module, Active Directory Trusts, AD cmdlets, AD PowerShell cmdlets, Add-WindowsFeature RSAT-AD-PowerShell, ADSI, Backup domain GPOs, Enumerate Domain Trusts, Find AD Kerberos Service Accounts, Finding Active Directory Flexible Master Single Operation (FSMO) Roles, Get AD site information., Get-ADComputer, Get-ADDomain, Get-ADDomainController, Get-ADForest, Get-ADGroup, Get-ADGroupMember, Get-ADReplicationPartnerFailure, Get-ADReplicationPartnerMetadata, Get-ADReplicationUptodatenessVectorTable, Get-ADUser, Get-Command -module ActiveDirectory, Get-Module -ListAvailable, Get-RootDSE, Import-Module ServerManager, Inventory Domain Controllers, PowerShell, PowerShell Find inactive computers, PowerShell Find inactive users

Sean Metcalf

Author's posts

AD Reading: Windows Server 2019 Active Directory Features

There’s Something About Service Accounts

Mitigating Exchange Permission Paths to Domain Admins in Active Directory

From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration

Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

Black Hat & DEF CON Presentation Slides Posted

NolaCon (2018) Active Directory Security Talk Slides Posted

Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory

Securing Microsoft Active Directory Federation Server (ADFS)

Gathering AD Data with the Active Directory PowerShell Module

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright