About

Interested in securing your enterprise and Active Directory environment?
Contact us!

Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) / Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). Sean is a recognized global expert in Microsoft Identity and has spoken over 50 times at over 20 different conferences.

Sean performs security research focused on the Microsoft identity platform, Windows, Active Directory, & Entra ID security research, the results of which he shares at conferences, the TrustedSec blog, and on ADSecurity.org. He has presented on Active Directory, Azure AD/Entra ID, & Microsoft Cloud attack and defense at security conferences such as Black Hat, Blue Team Con, BSides, DEF CON, DerbyCon, RSA, Troopers, & the internal Microsoft BlueHat security conference.
Slides & videos (if available) from these presentations can be found on the Presentations page.

Sean Metcalf is an Identity Security Architect with TrustedSec. He is also a co-host on the popular podcast Enterprise Security Weekly with recordings available on YouTube.

Sean developed an Active Directory security assessment & Entra ID security assessment engagement offering based on his research and industry best practices which identifies security configuration issues typically leveraged by attackers to compromise the enterprise. Both of these security assessments include a final report that provides hardening and security recommendations.
If you are interested in a review of your Active Directory and/or Entra ID security posture, Contact us!

ADSecurity.org (Active Directory Security) is a place where he shares Microsoft enterprise security guidance and information about current threats to enterprise networks & mitigation for these threats, Active Directory & Entra ID design and configuration tips, as well as leveraging PowerShell in these environments.

Here are some of my accomplishments:

2015: Published original method to detect Golden Tickets
2015: Made Golden Tickets more effective by adding Enterprise Admins to SIDHistory in the ticket (extrasids) working with Benjamin Delpy
2015: Described what rights were necessary to DCSync, including initial detection guidance
2015: Described “SPN Scanning” – identifying services on a network without port scanning
2015: Identified how to use Silver Tickets to compromise AD (via DCs) for persistence
2015: First to identify that the DSRM account is actually the RID 500 “Administrator” account on the Domain Controller.
2015: Described how to pass-the-hash using the DC’s DSRM password (with Benjamin Delpy)
2015: Described how to modify AdminSDHolder permissions for persistence
2016: Published methods to better detect PowerShell attack activity
2017: Published first effective detection of Kerberoasting with no false positives (still effective)
2017: Published Password Spray (AD) detection when attackers use Kerberos
2017: Discussed how to forge federation tokens (aka “GoldenSAML”) & compromise AD through Azure AD Connect (on-prem)
2018: Described how most Read-Only Domain Controller deployments are vulnerable & how to improve
2018: Discussed how to bypass most enterprise password vault security
2019: Presented on Microsoft Cloud (Azure AD & Microsoft Office 365) attack & defense at BlackHat & DEFCON Cloud Security Village
2020: Published info on how to compromise Azure instances (VMs) from Microsoft Office 365
2021: 1 of 3 people thanked during CISA Director’s BlackHat keynote for SolarWinds help
2021: Keynote speaker for the first year of Blue Team Con
2025: Published information on how to detect Active Directory password spray attacks with no false positives.

In the Press:

CSO Online article & PCWorld’s article on Sean’s Black Hat USA 2016 talk.
Rally Security podcast interview on August 31st, 2016. Interview available via podcast app and YouTube video.
Security Weekly interview (#462) on April 28th, 2016. Interview available via podcast app, audio, and YouTube video.
Redmond Magazine published an article on PowerShell security quoting my post on Detecting Offensive PowerShell Attack Tools.
The same article also ran on MCPMag.com.
IT World Canada reached out to me in late 2015 to help with an article on Active Directory attack & defense.
IIT World Canada also requested comments for a second story titled: “22 tips for preventing ransomware attacks“.

To contact Sean, please use the contact page or email s e a n /@\ ADSecurity.org

ADSecurity.org is Sean’s personal website and reflects his own views.
All trademarks and copyrights belong to their owners.

(Visited 35,566 times, 6 visits today)

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

About

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

About

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright