Sean Metcalf

I improve security for enterprises around the world working for TrimarcSecurity.com Read the About page (top left) for information about me. :) https://adsecurity.org/?page_id=8

Author's posts

Mar 01 2016

ADSecurity.org Now Sponsored by Trimarc!

By Sean Metcalf in Technical Reference

Sean has founded a new security company called Trimarc focused on providing enterprise security solutions. Launching today, Trimarc’s mission is to identify ways to better protect organizations from modern threats not effectively stopped by traditional security measures. ADSecurity.org will continue thanks to Trimarc! Check out Trimarc’s capabilities at TrimarcSecurity.com.

Feb 24 2016

PowerShell Version 5 is Available for Download (again)

By Sean Metcalf in Technical Reference

After about two months of Microsoft PowerShell developers working around the clock (probably), the bug that wound up causing the WMF 5.0 RTM installer to be pulled is now fixed. There was an issue with the original release dealing with PSModulePath ($Env:PSModulePath) which was reset to default after installation of the original PowerShell v5 installer. …

Feb 23 2016

Building an Effective Active Directory Lab Environment for Testing

By Sean Metcalf in ActiveDirectorySecurity, Continuing Education, Technical Reference

This post is not meant to describe the ultimate lab configuration. Instead the focus is on a lab environment that can be stood up quickly and easily as a learning tool. The best way to learn about computer networking and security is to have a home lab. The great thing is that a home lab …

Feb 11 2016

Detecting Offensive PowerShell Attack Tools

By Sean Metcalf in ActiveDirectorySecurity, Malware, Microsoft Security, PowerShell, Technical Reference

At DerbyCon V (2015), I presented on Active Directory Attack & Defense and part of this included how to detect & defend against PowerShell attacks. Update: I presented at BSides Charm (Baltimore) on PowerShell attack & defense in April 2016. More information on PowerShell Security: PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection The most …

Bypass PowerShell ExecutionPolicy, Detect Invoke-Mimikatz, Detect offensive PowerShell, detect PowerShell attack tools, ExecutionPolicyBypass, Invoke-Expression, Invoke-Mimikatz, InvokeMimikatz, New-Object Net.WebClient DownloadString, Offensive PowerShell, PowerShell Attack Tool, PowerShell Attacks, PowerShell Constrained Language Mode, PowerShell Execution Policy, PowerShell GPO, PowerShell Logging Group Policy, PowerShell Mimikatz, PowerShell.exe, PowershellLogging, PowerShellMafia, PowerShellSecurity, PowerShellv5, PowerSploit, script block logging, System-wide transcript, System.Management.Automation.dll, Windows10

Feb 11 2016

PowerShell Version 5 Security Enhancements

By Sean Metcalf in Microsoft Security, PowerShell, Technical Reference

PowerShell version 5 is RTM (As of 12/18/2015). Prior to this there was a “production preview” available since August which means it was supported, but not final. With the final release of PowerShell v5 now available, I highly recommend you download PowerShell v5 and start testing to prepare for production deployment. While the PowerShell v5 …

AMSI, PowerShell Antimalware Intgration, PowerShellSecurity, PowerShellv5, script block logging, System-wide transcript, Windows10

Jan 31 2016

Microsoft EMET 5.5 Released – Benefits, New Features, Protection, Logging, & GPO Config

By Sean Metcalf in Microsoft Security, Mitigation

Microsoft recently released Enhanced Mitigation Experience Toolkit (EMET) version 5.5 (it jumped from 5.2 to 5.5) which includes Windows 10 compatibility and better GPO support (among others). I’ve included information from a variety of Microsoft sources in this post so that others don’t have to search for the data separately. The resources/references are listed at …

ASLR, Blocking Untrusted Fonts feature, Bottom-up ASLR, caller checks, CertTrust.xml, DEP, EAF, EAF/EAF+, EAF/EAF+ perf improvements, EMET, EMET Event Logging, EMET5.5, EMET55, EMETWindows10, EMET_Conf, Enhanced Mitigation Experience Toolkit, Enhanced Mitigation Experience Toolkit (EMET) 5.5 Beta User Guide, EnhancedMitigationExperienceToolkit, Export Address Table Access Filtering (EAF), Export Address Table Access Filtering Plus (EAF+), Heap Spray, HideEMET, HideEMETIcon, Load Library, Mandatory ASLR, Memory PRotection, Microsoft EMET Service, MicrosoftEMET, MicrosoftEMET5.5, NULL Page, Popular Software.xml, Recommended Software.xml, SEHOP, Simulate executionflow, stack pivot, Untrusted font mitigation, untrusted fonts, Windows10, \SOFTWARE\Policies\Microsoft\EMET

Jan 27 2016

Active Directory Recon Without Admin Rights

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

A fact that is often forgotten (or misunderstood), is that most objects and their attributes can be viewed (read) by authenticated users (most often, domain users). The challenge is that admins may think that since this data is most easily accessible via admin tools such as “Active Directory User and Computers” (dsa.msc) or “Active Directory …

AppLocker, EMET, FindAdminAccounts, FindComputers, LAPS, LAPSDelegation, LocalAdministrator, MicrosoftAppLocker, MicrosoftEMET, ms-Mcs-AdmPwd, NetworkPortScan, SPNScanning

Jan 22 2016

ADSecurity.org in the Press!

By Sean Metcalf in ActiveDirectorySecurity

IT World Canada reached out to me recently to help with an article on Active Directory attack & defense. Read the article: “IT not doing enough to secure Active Directory, says expert.” IIT World Canada also requested comments for a second story titled: “22 tips for preventing ransomware attacks“.

ActiveDirectory, ActiveDirectorySecurity, ADSecurity, ITWorld, ITWorldArticle, ITWorldCanada

Jan 18 2016

So You Want to Speak at a Security Conference?

By Sean Metcalf in Security Conference Presentation/Video

After performing research at the end of 2014 on Microsoft enterprise security, specifically Active Directory, I realized that others may be interested in this information – my customers certainly were! So, I decided to submit a talk to the various security conferences and see what happened. I certainly didn’t expect to be accepted at 5 …

BlackHatCFP, BSidesCFP, CallForPapers, CFP, CFPResponse, CFPSubmission, ConferenceCFP, DEFCONCFP, DerbyConCFP, HackerCon, Presentation, SecurityConference, SecurityConferenceCFP, ShakaconCFP, Talk

Jan 05 2016

Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to …

ActiveDirectory, ActiveDirectorySecurity, ADSecurity, DetectForgedKerberoTicket, DetectGoldenTicket, DetectingForgedKerberosTicket, DetectSilverTicket, ForgedKerberosTicket, GoldenTicket, kerberos::golden, mimikatz, SilverTicket

Sean Metcalf

Author's posts

ADSecurity.org Now Sponsored by Trimarc!

PowerShell Version 5 is Available for Download (again)

Building an Effective Active Directory Lab Environment for Testing

Detecting Offensive PowerShell Attack Tools

PowerShell Version 5 Security Enhancements

Microsoft EMET 5.5 Released – Benefits, New Features, Protection, Logging, & GPO Config

Active Directory Recon Without Admin Rights

ADSecurity.org in the Press!

So You Want to Speak at a Security Conference?

Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Sean Metcalf

Author's posts

Recent Posts

Trimarc Active Directory Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright