May 01 2017
I recently presented my talk “Detecting the Elusive: Active Directory Threat Hunting” at BSides Charm in Baltimore, MD. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 On Sunday, April 30th, 2017, I spoke at BSides Charm in …
May 01 2017
I recently presented my talk “Active Directory Security: The Good, the Bad, & the UGLY” at Sp4rkCon in Bentonville, AR in April 2017. Slides are now posted in the Presentations section. I cover some of the information I’ve posted here before: PowerShell Security Detecting Kerberoasting: Part 1 and Part 2 Here’s the talk description: Active Directory Security:The Good, the …
Nov 03 2016
Active Directory security effectively begins with ensuring Domain Controllers (DCs) are configured securely. At BlackHat USA this past Summer, I spoke about AD for the security professional and provided tips on how to best secure Active Directory. This post focuses on Domain Controller security with some cross-over into Active Directory security. The blog is called …
Aug 13 2016
This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest …
Jan 01 2016
There are many ways an attacker can gain Domain Admin rights in Active Directory. This post is meant to describe some of the more popular ones in current use. The techniques described here “assume breach” where an attacker already has a foothold on an internal system and has gained domain user credentials (aka post-exploitation). The …
Dec 31 2015
Microsoft’s Kerberos implementation in Active Directory has been targeted over the past couple of years by security researchers and attackers alike. The issues are primarily related to the legacy support in Kerberos when Active Directory was released in the year 2000 with Windows Server 2000. This legacy support is enabled when using Kerberos RC4 encryption …
Sep 26 2015
The content in this post links to several methods through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. While there are an infinite number of actions an attacker can perform after compromising an enterprise, there are a finite number of pathways. In this series, …
Interested in securing your Active Directory and Entra ID environment? Please Contact Us! Sean Metcalf, Identity Security Architect at TrustedSec, has presented 52 times on security attack and defense at 25 security conferences including: Black Hat USA (2015, 2016, 2018, 2019) Blue Team Con Keynote (2021) BSides Charm (2015, 2016, 2017, 2018, 2019, 2024) BSides …
Interested in securing your Active Directory and Entra ID environment? Contact us! Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) / Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). Sean is a recognized global expert …
Recent Comments