Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

May 01 2017

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video

I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in …

Active Directory, Command Logging, Domain Controllers, Event logging, Microsoft WEF, PowerShell logging, Presentation, Sp4rkCon, Sysinternals SysMon

May 01 2017

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

By Sean Metcalf in ActiveDirectorySecurity, Security Conference Presentation/Video

I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 Here’s the talk description: Active Directory Security:The Good, the …

Active Directory recon, AD admin tiers, Credential theft, Kerberoasting detection, Kerberos Delegation, PowerShell logging, Secure AD administration

Feb 08 2017

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

In my previous post, “Detecting Kerberoasting Activity” I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert. This post describes how to filter from millions of events to …

AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoast honeypot, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, NTLM Password, RC4_HMAC_MD5, service account honeypot, TGS-REP, TGS-REQ

Feb 05 2017

Detecting Kerberoasting Activity

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security, Technical Reference

Introduction Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective since people tend to create poor passwords. The reason why this attack is successful is that most service account passwords are the same length …

AP-REQ, Audit Kerberos Service Ticket Operations, Detect Kerberoast Activity, Detecting Kerberoast activity, Event ID 4769, Kerberoasting Active Directory, Kerberoasting activity, Kerberos RC4 Encryption, Kerberos Service Ticket, Kerberos TGS, Kerberos TGS Ticket, KerberosRequestorSecurityToken, NTLM Password, PowerShell Kerberoast, RC4_HMAC_MD5, TGS-REP, TGS-REQ

Jan 29 2017

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. Complete list of Sneaky Active Directory Persistence Tricks posts This post explores how an attacker could leverage existing admin rights and/or over-permissive delegation to gain persistence …

AD Sneaky Persistence, attacking kerberos, Kerberoast, kerberoasting, Kerberos attack, Kerberos Ticket Cracking, KerberosRequestorSecurityToken, PowerShell Kerberoasting, RC4 TGS ticket, service principal name, sneaky persistence tricks, SPN, System.IdentityModel, TGS cracking, Write ServicePrincipalName

Nov 03 2016

Securing Domain Controllers to Improve Active Directory Security

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called …

Oct 21 2016

Securing Windows Workstations: Developing a Secure Baseline

By Sean Metcalf in Microsoft Security, Security Recommendation, Technical Reference

Securing workstations against modern threats is challenging. It seems like every week there’s some new method attackers are using to compromise a system and user credentials. Post updated on March 8th, 2018 with recommended event IDs to audit. The best way to create a secure Windows workstation is to download the Microsoft Security Compliance Manager …

Oct 18 2016

BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

By Sean Metcalf in Microsoft Security

This Saturday at BSides DC, I am presenting on the current state of PowerShell security in a talk called, “PowerShell Security: Defending the Enterprise from the Latest Attack Platform.” I cover some of the information I’ve posted here before: PowerShell Version 5 Security Enhancements PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection Detecting Offensive PowerShell …

BSidesDC Presentation, Detect PowerShell attacks, PowerShell logging, PowerShell Security, PowerShell v5, Presentation

Sep 27 2016

Some Favorite DerbyCon 6 Talks (2016)

By Sean Metcalf in Security Conference Presentation/Video

This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few. …

ActiveDirectorySecurity, DerbyCon 6 Videos, DerbyCon2016, EvilCorp, PowerShell, PowerShell Obfuscation

Sep 13 2016

DerbyCon 6 (2016) Talk – Attacking EvilCorp: Anatomy of a Corporate Hack

By Sean Metcalf in Microsoft Security, Security Conference Presentation/Video

Next week at DerbyCon 6, Will Schroeder (aka Will Harmjoy, @Harmj0y) & I are presenting on enterprise security, “Attacking EvilCorp: Anatomy of a Corporate Hack.” We call this one the “How You Got Hacked” presentation. The company and events are fictional. The techniques are real. On Saturday, September 24th, 2016, Will & I are speaking …

DerbyCon Presentation, DerbyCon2016, DerbyCon6, EvilCorp, Harmj0y, How You Got Hacked, Will Harmjoy

Sean Metcalf

Author's posts

BSides Charm (2017) Talk Slides Posted – Detecting the Elusive: Active Directory Threat Hunting

Sp4rkCon (2017) Talk Slides Posted – Active Directory Security: The Good, the Bad, & the UGLY

Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot

Detecting Kerberoasting Activity

Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

Some Favorite DerbyCon 6 Talks (2016)

DerbyCon 6 (2016) Talk – Attacking EvilCorp: Anatomy of a Corporate Hack

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright