Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

Aug 10 2017

Beyond Domain Admins – Domain Controller & AD Administration

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

Active Directory has several levels of administration beyond the Domain Admins group. In a previous post, I explored: “Securing Domain Controllers to Improve Active Directory Security” which explores ways to better secure Domain Controllers and by extension, Active Directory. For more information on Active Directory specific rights and permission review my post “Scanning for Active …

Active Directory Admins, Active Directory groups, Active Directory Security, ActiveDirectory, AD Administrators, AD Admins, AD Security, allow log on locally, Back-up files & directories, Backup Operators, Builtin, DC rights, DCSync, Default AD groups, Default Domain Controller Policy, domain Administrators group, Domain Admins, Domain Controller, Domain Controller groups, Domain Controller rights, Enable computer and user accounts to be trusted for delegation, Force shutdown from a remote system, Get-ADGroupMember, Log on as a batch job, Log on as a service, Manage auditing and security log, Print Operators, Remote Desktop users, Restore files & directories, Schema Admins, Server Operators, Synchronize directory service data

Jun 14 2017

Scanning for Active Directory Privileges & Privileged Accounts

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team …

Account Operators, Active Directory permissions, Active Directory PRivileged Access, Active Directory Security, AD, AD ACLs, AD Delegation, AD groups in Local Groups, AD Security, AdminSDHolder, Allow logon locally, Allow logon over Remote Desktop Services, Backup Operators, Bloodhound, Create GPO rights, CreateChild, DCSync, DeleteChild, Domain Admins, Enable computer and user accounts to be trusted for delegation, Enterprise Admins, Extended Right, Full Control, GenericAll, GenericWrite, GPO, Greoup Policy Delegation, Group Membership, Group Policy Object, Group Policy Permission, Impersonate a client after authentication, Link GPO rights, Manage auditing and security log, Manage Group Policy link, PowerView, Print Operators, Replicating Directory Changes All, Restricted Groups, S-1-5--512, S-1-5--517, S-1-5--520, S-1-5-21--1102, S-1-5-21--519, S-1-5-21--525, S-1-5-21--571, S-1-5-32--574, S-1-5-32-544, S-1-5-32-548, S-1-5-32-550, S-1-5-32-551, S-1-5-32-554, S-1-5-32-562, S-1-5-32-573, S-1-5-32-578, SACL, Schema Admins, SDDL, SDProp, Self, SeMachineAccountPrivilege, SeNetworkLogonRight, SeTcbPrivilege, SeTrustedCredManAccessPrivilege, SIDHistory, Synchronize directory service data, User Rights Assignments, Validated Write, WriteDACL, WriteOwner, WritePRoperty

May 30 2017

AD Reading: Windows Server 2016 Active Directory Features

By Sean Metcalf in Technical Reference

The following are useful resources for Windows Server 2016 Active Directory Features. Windows 2016 Features What’s New in Windows 2016 Active Directory Windows Server 2016 AD Functional Level Privileged Access Management (PAM) Windows 2016 PAM Shadow Security Principals (temporary group membership) Azure AD Join Windows 2016 Azure AD Join Microsoft Hello …

May 01 2017

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in …

Active Directory, Command Logging, Domain Controllers, Event logging, Microsoft WEF, PowerShell logging, Presentation, Sp4rkCon, Sysinternals SysMon

May 01 2017

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video

I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 Here’s the talk description: Active Directory Security:The Good, the …

Active Directory recon, AD admin tiers, Credential theft, Kerberoasting detection, Kerberos Delegation, PowerShell logging, Secure AD administration

Feb 08 2017

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert. This post describes how to filter from millions of events to …

AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoast honeypot, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, NTLM Password, RC4_HMAC_MD5, service account honeypot, TGS-REP, TGS-REQ

Feb 05 2017

Detecting Kerberoasting Activity

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security, Technical Reference

Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length …

AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoasting Active Directory, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, KerberosRequestorSecurityToken, NTLM Password, PowerShell Kerberoast, RC4_HMAC_MD5, TGS-REP, TGS-REQ

Jan 29 2017

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. Complete list of Sneaky Active Directory Persistence Tricks posts This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence …

AD Sneaky Persistence, attacking kerberos, Kerberoast, kerberoasting, Kerberos attack, Kerberos Ticket Cracking, KerberosRequestorSecurityToken, PowerShell Kerberoasting, RC4 TGS ticket, service principal name, sneaky persistence tricks, SPN, System.IdentityModel, TGS cracking, Write ServicePrincipalName

Nov 03 2016

Securing Domain Controllers to Improve Active Directory Security

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called …

Oct 21 2016

Securing Windows Workstations: Developing a Secure Baseline

By Sean Metcalf in Microsoft Security, Security Recommendation, Technical Reference

Securing workstations against modern threats is challenging. It seems like every week there’s some new method attackers are using to compromise a system and user credentials. Post updated on March 8th, 2018 with recommended event IDs to audit. The best way to create a secure Windows workstation is to download the Microsoft Security Compliance Manager …

Sean Metcalf

Author's posts

Beyond Domain Admins – Domain Controller & AD Administration

AD Reading: Windows Server 2016 Active Directory Features

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Detecting Kerberoasting Activity

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright