DSInternals – Active Directory & Azure AD/Entra ID Security

Oct 04 2025

The History of Active Directory Security

By Sean Metcalf in ActiveDirectorySecurity, Technical Reference

During the Summer of 2024, I had a talk at Troopers called “A Decade of Active Directory Attacks:What We’ve Learned & What’s Next” (Slides & Video) where I focused on the key milestones of Active Directory security (history). This article covers my “decade of Active Directory attacks” in some detail which was correlated with public …

May 29 2020

Attacking Active Directory Group Managed Service Accounts (GMSAs)

By Sean Metcalf in ActiveDirectorySecurity, Hacking, Microsoft Security

In May 2020, I presented some Active Directory security topics in a Trimarc Webcast called “Securing Active Directory: Resolving Common Issues” and included some information I put together relating to the security of AD Group Managed Service Accounts (GMSA). This post includes the expanded version of attacking and defending GMSAs I covered in the webcast.I …

clear-text password, Computer Account, ConvertTo-NTHash, DSInternals, Get-ADReplAccount, Get-ADServiceAccount, GMSA, GMSA password, GMSA password hash, GMSA SPN, Group Managed Service Accounts, Kerberos, Kerberos SPN, LSASS, mimikatz, msDS-GroupManagedServiceAccount, msDS-GroupMSAMembership, msds-ManagedPassword, msDS-ManagedPasswordId, msDS-ManagedPasswordInterval, msDS-ManagePasswordInterval, PrincipalsAllowedToRetriveManagedPassword, PSEXEC, Sekurlsa::ekeys, sekurlsa::logonpasswords, service principal name, ServicePrincipalNames, SPN, SYSTEM, _SA_

Sep 25 2015

Mimikatz DCSync Usage, Exploitation, and Detection

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

Note: I presented on this AD persistence method at DerbyCon (2015). A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller. DCSync was written by Benjamin Delpy and Vincent Le Toux. The exploit method prior to DCSync was …

DCE/RPC, DCSync, DCSyncAsUser, DCSyncRights, DetectDCSync, DomainControllerImpersonation, DRSUAPI, DSGetNCChanges, DSInternals, GSS-API, Impacket, ImpersonateDC, mimikatz, MimikatzDCSync, ReplicatingDirectoryChanges, ReplicatingDirectoryChangesALL, ReplicatingDirectoryChangesInFilteredSet

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Tag: DSInternals

The History of Active Directory Security

Mimikatz DCSync Usage, Exploitation, and Detection

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Tag: DSInternals

The History of Active Directory Security

Attacking Active Directory Group Managed Service Accounts (GMSAs)

Mimikatz DCSync Usage, Exploitation, and Detection

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright