Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter. Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

Jan 22 2016

ADSecurity.org in the Press!

By Sean Metcalf in ActiveDirectorySecurity

IT World Canada reached out to me recently to help with an article on Active Directory attack & defense. Read the article: “IT not doing enough to secure Active Directory, says expert.” IIT World Canada also requested comments for a second story titled: “22 tips for preventing ransomware attacks“.

ActiveDirectory, ActiveDirectorySecurity, ADSecurity, ITWorld, ITWorldArticle, ITWorldCanada

Jan 18 2016

So You Want to Speak at a Security Conference?

By Sean Metcalf in Security Conference Presentation/Video

After performing research at the end of 2014 on Microsoft enterprise security, specifically Active Directory, I realized that others may be interested in this information – my customers certainly were! So, I decided to submit a talk to the various security conferences and see what happened. I certainly didn’t expect to be accepted at 5 …

BlackHatCFP, BSidesCFP, CallForPapers, CFP, CFPResponse, CFPSubmission, ConferenceCFP, DEFCONCFP, DerbyConCFP, HackerCon, Presentation, SecurityConference, SecurityConferenceCFP, ShakaconCFP, Talk

Jan 05 2016

Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to …

ActiveDirectory, ActiveDirectorySecurity, ADSecurity, DetectForgedKerberoTicket, DetectGoldenTicket, DetectingForgedKerberosTicket, DetectSilverTicket, ForgedKerberosTicket, GoldenTicket, kerberos::golden, mimikatz, SilverTicket

Jan 03 2016

How Attackers Dump Active Directory Database Credentials

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

I previously posted some information on dumping AD database credentials before in a couple of posts: “How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller” and “Attack Methods for Gaining Domain Admin Rights in Active Directory“. This post covers many different ways that an attacker can dump credentials from Active Directory, both …

500, 502, ActiveDirectorydatabase, Administrator, copy ntds.dit, CopyNTDS.dit, DCSync, DITSnapshotViewer, dumpActiveDirectory, DumpADCredentials, DumpADCreds, DumpCredentials, DumpCreds, Esentutl, Invoke-Mimikatz, Invoke-NinjaCopy, Invoke-ReflectivePEInjection, KRBTGT, lsadump::dcsync, lsadump::lsa, mimikatz, MimikatzDCSync, ntds.dit, ntdsutil, PassTheTicket, PowerShellRemoting, PowerSploit, sekurlsa::logonpasswords, VolumeShadowCopy, VSS, VSSNTDS.dit, WMI, WMIC, WMICPassTheTicket, WMIPTT

Jan 01 2016

Attack Methods for Gaining Domain Admin Rights in Active Directory

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation). The …

Dec 31 2015

Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

Microsoft’s Kerberos implementation in Active Directory has been targeted over the past couple of years by security researchers and attackers alike. The issues are primarily related to the legacy support in Kerberos when Active Directory was released in the year 2000 with Windows Server 2000. This legacy support is enabled when using Kerberos RC4 encryption …

ActiveDirectory, CrackPasswords, CrackServiceAccountPassword, CrackTGS, DiamondPAC, DomainController, ForgedPAC, GoldenTicket, Kerberoast, Kerberos, KerberosSilverTicket, mimikatz, MS14068, MSSQL, PowerShell, Python, RC4HMACMD5, RC4_HMAC_MD5, ServicePrincipalName, SilverTicket, SkeletonKey, SPN, SPNScanning, SQL, TGS, TGSCracker, TGT
1 comments

Dec 28 2015

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

By Sean Metcalf in Exploit, Microsoft Security, Technical Reference

At Black Hat and DEF CON this year, I spoke about ways attackers go from Domain User to Domain Admin in modern enterprises. Every Windows computer has a built-in Administrator account with an associated password. Changing this password is a security requirement in most organizations, though the method for doing so is not straight-forward. A …

Dec 14 2015

Unofficial Guide to Mimikatz & Command Reference

By Sean Metcalf in Microsoft Security, Technical Reference

A new page on ADSecurity.org just went live which is an “unofficial” guide to Mimikatz which also contains an expansive command reference of all available Mimikatz commands. Screenshots, descriptions, and parameters are included where available and appropriate. This page includes the following topics: Mimikatz Overview Mimikatz & Credentials Available Credentials by OS PowerShell & Mimikatz …

Nov 30 2015

Real-World Example of How Active Directory Can Be Compromised (RSA Conference Presentation)

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, RealWorld

At the RSA Conference in Abu Dhabi earlier this month, Stefano Maccaglia (Incident Response Consultant with RSA) presented “Evolving Threats: dissection of a Cyber-Espionage attack.” The slides for this talk are available on the RSA Conference site (UPDATE: RSA removed the slides from their site, Presentation Slides on Yumpu). This post covers and adds some …

ActiveDirectory, DomainControllerExploit, mimikatz, MS14068, RealWorld, RSAConference, spearphish

Nov 22 2015

Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Technical Reference

The two key goals of any attack is access and persistence. This post covers elements of each. In a post-exploitation scenario where the attacker has compromised the domain or an account with delegated rights, it’s possible to dump the clear-text passwords of admins without being a Domain Admin*. This method requires the Active Directory Domain …

Sean Metcalf

Author's posts

ADSecurity.org in the Press!

So You Want to Speak at a Security Conference?

Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works

How Attackers Dump Active Directory Database Credentials

Attack Methods for Gaining Domain Admin Rights in Active Directory

Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences

Unofficial Guide to Mimikatz & Command Reference

Real-World Example of How Active Directory Can Be Compromised (RSA Conference Presentation)

Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright