Interested in securing your enterprise and Active Directory environment?
Please Contact Us!
Sean Metcalf, Identity Security Architect at TrustedSec, has presented on security attack and defense at many security conferences including:
- Black Hat USA (2015, 2016, 2018, 2019)
- Blue Team Con (2021)
- BSides Charm (2015, 2016, 2017, 2018, 2019, 2024)
- BSides DC (2016)
- BSides Dublin (2024)
- BSides PR (2019)
- DEF CON (2015, 2016, 2017, 2018, 2019, 2020, 2024)
- DerbyCon (2015, 2016, 2017, 2018, 2019)
- Hackers Teaching Hackers (HTH) (2021)
- HackCon (2018)
- Hybrid Identity Protection Conference (2017, 2018, 2024)
- IT-Defense (2019)
- MCTTP (2024)
- Microsoft BlueHat (2017)
- Microsoft Ignite (2019)
- NolaCon (2018)
- RSA (2025)
- Shakacon (2015, 2018)
- The Experts Conference (TEC) (2019, 2020. 2021, 2022, 2023, 2024, 2025)
- TRICON Keynote (2024)
- Troopers (2018, 2019, 2024)
- Walmart Sp4rkCon (2017)
This page includes the slides and videos (if available).
2025 Presentations:
-
Wild West Hackin’ Fest (WWHF) Mile High 2025 – “From User to Entra ID Admin”
WWHF Mile High – Slides (PDF) -
RSA 2025 – “Your Microsoft Cloud Is the Attacker’s Computer”
RSA 2024 – Slides (PDF) -
The Expert’s Conference (TEC) 2025 – “Entra the Dragon: Roles, Permissions, and Conditional Access, Oh My!”
TEC 2024 – Slides (PDF) [Talk October 1st, 2025]
2024 Presentations:
-
ISACA Springfield, MO 2024 – “The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations”
ISACA 2024 – Slides (PDF) -
BSides Charm 2024 – “The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations ”
BSides Charm 2024 – Slides (PDF) -
BSides Dublin 2024 – “The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations ”
BSides Dublin 2024 – Slides (PDF)
BSides Dublin 2024 – Presentation Video (YouTube) -
Troopers 2024 – “A Decade of Active Directory Attacks: What We’ve Learned & What’s Next ”
Troopers 2024 – Slides (PDF)
Troopers 2024 – Presentation Video (YouTube) -
TRICON 2024 Keynote – “What Are We Even Doing?”
TRICON 2024 – Slides (PDF)
TRICON 2024 – Presentation Video (YouTube) -
DEFCON Cloud Village 2024 – “Gone in 60 Seconds…
How Azure AD/Entra ID Tenants are Compromised”
DEFCON Cloud Village 2024 – Slides (PDF) -
MCTTP Conference 2024 – “A Decade of Active Directory Attacks: What We’ve Learned & What’s Next”
MCTTP 2024 – Slides (PDF) -
The Expert’s Conference 2024 – “A Decade of Microsoft Identity Attacks:
What We’ve Learned & What’s Next”
TEC 2024 – Slides (PDF) -
Hybrid Identity Protection (HIP) Conference 2024 – “A Decade of Microsoft Identity Attacks: What We’ve Learned & What’s Next”
HIP 2024 – Slides (PDF)
2023 Presentations:
-
The Expert’s Conference (TEC) 2023 – “The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations”
TEC 2023 – Slides (PDF)
2022 Presentations:
-
The Expert’s Conference (TEC) 2022 – “Defending the Identity Nexus
TEC 2022 – Slides (PDF)
2021 Presentations:
-
Blue Team Con 2021 Keynote – “Into the Blue”
Blue Team Con 2021 – Slides (PDF) -
The Expert’s Conference (TEC) 2021 – “Hardening Azure AD in the Face of Emerging Threats”
TEC 2021 – Slides (PDF) -
Hackers Teaching Hackers (HTH) 2021 Keynote – “Security Challenges in a Hybrid World”
HTH 2021 – Slides (PDF)
2020 Presentations:
-
DEFCON 2020 – “Hacking the Hybrid Cloud”
DEFCON 2020 – Slides (PDF)
DEFCON 2020 – Presentation Video (YouTube) -
Ignite 2020 – “Ask the Expert Top Challenges of Hybrid Active Directory Security”
-
The Expert’s Conference (TEC) 2020 – “Hybrid Cloud Security”
TEC 2020 – Slides (PDF)
TEC 2020 – Presentation Video
2019 Presentations:
-
Microsoft Ignite 2019 – “The Top 10 Most Common Active Directory Security Issues, their impact, and remediation”
Microsoft Ignite 2019 – Slides (PDF)
Microsoft Ignite 2019 – Talk Audio with Slides -
BSidesPR 2019 – “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)”
BSidesPR 2019 – Slides (PDF)
(not recorded) -
DerbyCon 2019 – “Active Directory Security: Beyond the Easy Button”
DerbyCon 2019 – Slides (PDF) just the AD security content
DerbyCon 2019 – Slides (PDF) Full deck including my “DerbyCon Reflections”
(Slides were updated after the talk to provide more context)
DerbyCon 2019 – Presentation Video (YouTube) -
The Expert’s Conference (TEC) 2019 Keynote – “The Current State of Active Directory Security”
“The Current State of Active Directory Security” Slides (PDF)
TEC 2019 – Presentation Video (YouTube) -
DEFCON 2019 Cloud Village Keynote
“Cloudy Vision: How Cloud Integration Complicates Security”
Slides (PDF)
(not recorded) -
Black Hat USA 2019 – “Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)”
Black Hat USA 2019 – Slides (PDF)
Black Hat 2019 – Presentation Video (YouTube) -
BSides Charm 2019 – “You Moved to Office 365, Now What?”
BSides Charm 2019 – Slides (PDF)
BSides Charm 2019 – Presentation Video (YouTube) -
Troopers 2019 (TR19) – “From Workstation to Domain Admin… Why Secure Administration Isn’t Secure and How to Fix It” [Version 4]
Troopers 2019 – TR19 Slides (PDF)
Troopers 2019 – TR19 Presentation Video (YouTube) -
IT-Defense 2019 – “Securing Active Directory Administration” [Version 3]
This is a minor update to my DerbyCon 2018 talk.
IT-Defense 2019 – Slides (PDF)
(not recorded)
2018 Presentations:
-
Hybrid Identity Protection Conference (HIPconf) 2018 – “Securing the Microsoft Cloud”
HIPConf 2018 – Slides (PDF)
HIPConf 2018 – Presentation Video (YouTube) -
DerbyCon 2018 – “From Workstation to Domain Admin…” [Version 2]
DerbyCon 2018 – Slides (PDF)
DerbyCon 2018 – Presentation Video (YouTube) -
DEF CON 26 (2018) – “Exploiting Active Directory Administrator Insecurities”
DEF CON 26 – Slides (PDF)
DEF CON 26 – Presentation Video (YouTube) -
Black Hat 2018 – “From Workstation to Domain Admin: Why Secure Administration isn’t Secure and How to Fix it”
Black Hat 2018 – Slides (PDF)
Black Hat 2018 – Presentation Video (YouTube) -
ShakaCon X 2018 – “The Current State of Active Directory Security”
ShakaCon Slides (PDF) – note this talk content is similar to my NolaCon 2018 talk.
Presentation Video (YouTube)
Note: One of the speakers was unable to make it, so I filled in on short notice. -
NolaCon 2018 – “Active Directory Security: The Journey” [Version 3]
NolaCon 2018 – Slides (PDF)
NolaCon 2018 – Presentation Video (YouTube) -
BSidesCharm 2018 – “FailTime – Failing Towards Success”
BSidesCharm 2018 – Slides (PDF – with notes!)
BSidesCharm 2018 – Presentation Video (YouTube) -
Troopers 2018 – “Active Directory Security: The Journey [Version 2]
Troopers 2018 (Heidelberg, Germany) March 2018
Troopers 2018 – Slides (PDF)
Troopers 2018 – Presentation Video (YouTube) -
HackCon 2018 – “When Worlds Collide: Security in a Cloud-Enabled Environment” [Version 2]
HackCon 2018 (Oslo, Norway) February 2018
HackCon 2018 – Slides (PDF)
(not recorded)
2017 Presentations:
-
Microsoft Blue Hat 2017 – “Active Directory Security: The Journey”
Microsoft Blue Hat 2017 (Redmond, WA) November 2017
BlueHat 2017 – Slides (PDF)Blue Hat Demo Videos (done by Jared Haight @jaredhaight author of PS>Attack):
1. Getting credentials with Responder: HTTP and SMB.
2. Running Responder after mitigations – no creds. -
Hybrid Identity Protection Conference (2017) – “When Worlds Collide: Security in a Cloud-Enabled Environment”
HIPConf (New York, NY) November 2017
HIPConf 2017 – Slides (PDF) -
DerbyCon 7 (2017) – “The Current State of Security an Improv-spection” with Nick Carr (@ItsReallyNick)
DerbyCon 7 (Louisville, KY) September 2017
DerbyCon 7 Slides (PDF)
DerbyCon 7 (2017) Presentation Video (YouTube) -
DEF CON 25 (2017) – “Hacking the Cloud” with Gerald Steere (@DarkPawh)
DEF CON 25 (Las Vegas, NV) July 2017
DEF CON 25 (2017) Slides (PDF)
Written Transcript (courtesy of Trimarc)
DEF CON 25 (2017) Presentation Video (YouTube) -
Ryerson University IT Conference (Toronto, Canada) – “The Current Threat Landscape,Modern Defenses, & Effective Detection”
Slides (PDF) -
BSides Charm (2017) – “Detecting the Elusive: Active Directory Threat Hunting”
BSides Charm (Baltimore, MD) 2017 (April 2017)
BSides Charm 2017 Slides (PDF)
Written Transcript (courtesy of Trimarc)
BSides Charm Presentation Video (YouTube) -
Sp4rkCon (2017) – “Active Directory Security: The Good, the Bad, & the UGLY”
Sp4rkCon (Bentonville, AR) 2017 (March 2017)
Sp4rkCon 2017 Slides (PDF)
2016 Presentations:
-
BSides DC (2016) – “PowerShell Security: Defending the Enterprise from the Latest Attack Platform” (v2)
BSides DC (Washington, DC) 2016 (October 2016)
BSides DC 2016 Slides (PDF)
BSides DC Presentation Video (YouTube) -
DerbyCon 6 (2016) – “Attacking EvilCorp: Anatomy of a Corporate Hack (aka How You Got Hacked)” with Will @harmj0y Schroeder (blog.harmj0y.net)
DerbyCon 6 (September 2016)
DerbyCon 6 (2016) Slides (PDF)
DerbyCon 6 (2016) Presentation Video (YouTube)
Download mp4 presentation video (archive.org)
DerbyCon Demo Videos:
1. Active Directory Recon with Bloodhound.
2. Compromising an AD domain by leveraging a custom local admin password solution.
3. Compromising an AD domain by Kerberoasting to offline crack service account password. Will has a great blog post on Kerberoasting with PowerShell.
4. Leverage compromised domain in the AD forest to “SID Hop” from child “R&D” domain to “Production” domain in an AD Forest.
-
DEF CON 24 (2016) – “Beyond the MCSE: Red Teaming Active Directory”
DEF CON 24 (August 2016)
DEF CON 24 (2016) Slides (PDF)
DEF CON 24 (2016) Presentation Video (YouTube) -
Black Hat USA 2016 – “Beyond the MCSE: Active Directory for the Security Professional”
Black Hat USA 2016 (August 2016)
Black Hat USA 2016 Slides (PDF)
Black Hat USA 2016 Whitepaper (PDF)
Black Hat USA 2016 Presentation Video (YouTube) -
BSides Charm (2016) – “PowerShell Security: Defending the Enterprise from the Latest Attack Platform”
BSides Charm (Baltimore) 2016 (April 2016)
BSides Charm 2016 Slides (PDF)
BSides Charm Presentation Video (YouTube)
2015 Presentations:
Note: Each AD Security “Red vs Blue” presentation has some different material though the flow is the same.
Furthermore, Mimikatz is used quite extensively in these talks. Read my Mimikatz Guide for more information on its capabilities and usage.
-
DerbyCon Edition – “Red vs. Blue: Modern Active Directory Attacks & Defense” (v5)
– New Sneaky Active Directory Persistence Methods, Advanced Red Team Recon Tactics, Remote Execution Methods, Mimikatz DC Sync Usage & Detection, & Detecting offensive PowerShell tools including Invoke-Mimikatz
DerbyCon V (September 2015)
DerbyCon V Slides (PDF)
DerbyCon Presentation Video (YouTube) -
DEF CON Edition – “Red vs. Blue: Modern Active Directory Attacks & Defense” (v4)
– Sneaky Active Directory Persistence Methods
DEF CON 23 (August 2015)
DEF CON 23 Slides (PDF)
DEF CON 23 Presentation Video (YouTube) -
Black Hat Edition – “Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection” (v3)
– “Enhanced” Golden Tickets & Exploiting Kerberos Unconstrained Delegation
Black Hat USA 2015 (August 2015)
Black Hat Slides (PDF)
Black Hat Presentation Video (YouTube)
-
“Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection” (v2)
– Forging Kerberos Trust Tickets
Shakacon VII (July 2015)
Slides (PDF)
Shakacon Presentation Video (YouTube)
-
“Red vs. Blue: Modern Active Directory Attacks, Detection, & Protection” (v1)
BSides Charm (Baltimore) 2015 (April 2015)
Slides (PDF) -
“Mastering PowerShell and Active Directory”
PowerShell User’s Group (January 2015)
Slides (PDF)
(Visited 141,566 times, 3 visits today)
Recent Comments