{"id":8,"date":"2014-04-27T02:23:11","date_gmt":"2014-04-27T06:23:11","guid":{"rendered":"http:\/\/blog.metcorp.org\/?page_id=8"},"modified":"2026-05-04T16:41:16","modified_gmt":"2026-05-04T20:41:16","slug":"about","status":"publish","type":"page","link":"https:\/\/adsecurity.org\/?page_id=8","title":{"rendered":"About"},"content":{"rendered":"<p><em>Interested in securing your Active Directory and Entra ID environment? <\/em><br \/>\n<a href=\"https:\/\/www.trimarcsecurity.com\/contact\"><em>Contact us!<\/em><\/a><\/p>\n<p>Sean Metcalf (<a href=\"https:\/\/twitter.com\/PyroTek3\">@PyroTek3<\/a>) is a Microsoft Certified Master (MCM) \/ Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). Sean is a recognized global expert in Microsoft Identity and has spoken 52 times at 25 different conferences.<\/p>\n<p>Often referred to as the &#8220;Godfather&#8221; of Active Directory security, Sean performs security research focused on the Microsoft identity platform, Windows, Active Directory, &amp; Entra ID security research, the results of which he shares at conferences, the <a href=\"https:\/\/trustedsec.com\/blog\">TrustedSec blog<\/a>, and on <a href=\"http:\/\/ADSecurity.org\">ADSecurity.org<\/a>. He\u00a0has presented on Active Directory, Azure AD\/Entra ID, &amp; Microsoft Cloud attack and defense at security conferences such as <a href=\"https:\/\/www.blackhat.com\/\">Black Hat<\/a>, <a href=\"https:\/\/blueteamcon.com\/\">Blue Team Con<\/a>, BSides, <a href=\"https:\/\/defcon.org\/\">DEF CON<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/DerbyCon\">DerbyCon<\/a>, <a href=\"https:\/\/www.rsaconference.com\/\">RSA<\/a>, <a href=\"https:\/\/troopers.de\/\">Troopers<\/a>, &amp; the internal <a href=\"https:\/\/msrc.microsoft.com\/bluehat\/\">Microsoft BlueHat<\/a> security conference.<br \/>\nSlides &amp; videos (if available) from these presentations can be found on the <a href=\"https:\/\/adsecurity.org\/?page_id=1352\">Presentations page<\/a>.<\/p>\n<p>Sean Metcalf is an Identity Security Architect with <a href=\"https:\/\/trustedsec.com\/\">TrustedSec<\/a>. He is also a co-host on the popular podcast <a href=\"https:\/\/www.scworld.com\/podcast-show\/enterprise-security-weekly\">Enterprise Security Weekly<\/a> with recordings available on <a href=\"https:\/\/www.youtube.com\/playlist?list=PLlPkFwQHxYE4j9Nxn8LO2vc2D89ZjEqmA\">YouTube<\/a>.<\/p>\n<p>Sean developed an \u00a0<a href=\"https:\/\/www.trimarcsecurity.com\/ad-security-assessment\">Active Directory security assessment<\/a> &amp; <a href=\"https:\/\/www.trimarcsecurity.com\/microsoftcloud-security-assessment\">Entra ID security assessment<\/a> engagement offering based on his research and industry best practices which identifies security configuration issues typically leveraged by attackers to compromise the enterprise. Both of these security assessments include a final report that provides hardening and security recommendations.<br \/>\nIf you are interested in a review of your Active Directory and\/or Entra ID security posture, <a href=\"https:\/\/www.trimarcsecurity.com\/contact\"><em>Contact us!<\/em><\/a><\/p>\n<p><a href=\"http:\/\/ADSecurity.org\">ADSecurity.org<\/a> (Active Directory Security) is a place where he shares Microsoft enterprise security guidance and information about current threats to enterprise networks &amp; mitigation for these threats, Active Directory &amp; Entra ID design and configuration tips, as well as leveraging PowerShell in these environments.<\/p>\n<p>Here are some of Sean&#8217;s accomplishments:<\/p>\n<ul>\n<li>2015: Published <a href=\"https:\/\/adsecurity.org\/?p=1515\">original method to detect Golden Tickets<\/a><\/li>\n<li>2015: Made <a href=\"https:\/\/adsecurity.org\/?p=1640\">Golden Tickets more effective<\/a> by adding Enterprise Admins to SIDHistory in the ticket (extrasids) working with Benjamin Delpy<\/li>\n<li>2015: <a href=\"https:\/\/adsecurity.org\/?p=1729\">Described what rights were necessary to DCSync<\/a>, including initial detection guidance<\/li>\n<li>2015: Described \u201c<a href=\"https:\/\/adsecurity.org\/?p=230\">SPN Scanning<\/a>\u201d \u2013 identifying services on a network without port scanning<\/li>\n<li>2015: Identified how to <a href=\"https:\/\/adsecurity.org\/?p=2753\">use Silver Tickets to compromise AD<\/a> (via DCs) for persistence<\/li>\n<li>2015: First to identify that the DSRM account is actually the RID 500 &#8220;Administrator&#8221; account on the Domain Controller.<\/li>\n<li>2015: Described <a href=\"https:\/\/adsecurity.org\/?p=1785\">how to pass-the-hash using the DC\u2019s DSRM password<\/a> (with Benjamin Delpy)<\/li>\n<li>2015: Described how to <a href=\"https:\/\/adsecurity.org\/?p=1906\">modify AdminSDHolder permissions for persistence<\/a><\/li>\n<li>2016: Published methods to <a href=\"https:\/\/adsecurity.org\/?p=2921\">better detect PowerShell attack activity<\/a><\/li>\n<li>2017: Published <a href=\"https:\/\/adsecurity.org\/?p=3513\">first effective detection of Kerberoasting with no false positives<\/a> (still effective)<\/li>\n<li>2017: Published <a href=\"https:\/\/adsecurity.org\/?p=4517\">Password Spray (AD) detection when attackers use Kerberos<\/a><\/li>\n<li>2017: Discussed how to forge federation tokens (aka \u201cGoldenSAML\u201d) &amp; compromise AD through Azure AD Connect (on-prem)<\/li>\n<li>2018: Described how <a href=\"https:\/\/adsecurity.org\/?p=3592\">most Read-Only Domain Controller deployments are vulnerable<\/a> &amp; how to improve<\/li>\n<li>2018: Discussed how to bypass most enterprise password vault security<\/li>\n<li>2019: Presented on Microsoft Cloud (Azure AD &amp; Microsoft Office 365) attack &amp; defense at BlackHat &amp; DEFCON Cloud Security Village<\/li>\n<li>2020: Published info on how to <a href=\"https:\/\/adsecurity.org\/?p=4277\">compromise Azure instances (VMs) from Microsoft Office 365<\/a><\/li>\n<li>2021: 1 of 3 people thanked during <a href=\"https:\/\/www.youtube.com\/watch?v=q7bu-L-m4K4&amp;t=2162s\">CISA Director\u2019s BlackHat keynote<\/a> for SolarWinds help<\/li>\n<li>2021: <a href=\"https:\/\/blueteamcon.com\/directory\/2021-keynote-into-the-blue\/\">Keynote speaker for the first year of Blue Team Con<\/a><\/li>\n<li>2025: Published information on how to <a href=\"https:\/\/trustedsec.com\/blog\/detecting-password-spraying-with-a-honeypot-account\">detect Active Directory password spray attacks<\/a> with no false positives.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\">In the Press:<\/span><\/p>\n<ul>\n<li><a href=\"http:\/\/www.csoonline.com\/article\/3102115\/security\/black-hat-basics-ruminations-on-19-years-of-black-hat-briefings.html\">CSO Online article<\/a> &amp; <a href=\"http:\/\/www.pcworld.com\/article\/3107611\/security\/respect-windows-10-security-impresses-hackers.html\">PCWorld\u2019s article<\/a> on Sean&#8217;s Black Hat USA 2016 talk.<\/li>\n<li>Rally Security podcast interview on August 31st, 2016. Interview available via podcast app and <a href=\"https:\/\/www.youtube.com\/watch?v=ksIzqOvku94\">YouTube video<\/a>.<\/li>\n<li><a href=\"http:\/\/securityweekly.com\/\">Security Weekly<\/a> interview (#462) on April 28th, 2016. Interview available via podcast app, <a href=\"http:\/\/hwcdn.libsyn.com\/p\/0\/5\/0\/050c9d5f0ef66303\/Security_Weekly_462_-_Interview_with_Sean_Metcalf_Microsoft_Certified_Master.mp3?c_id=11587750&amp;expiration=1462041921&amp;hwt=26fb2f98d8eded1d7ae85607add03b49\">audio<\/a>, and <a href=\"https:\/\/youtu.be\/L8vX56kTsyE?t=512\">YouTube video<\/a>.<\/li>\n<li><a href=\"https:\/\/redmondmag.com\">Redmond Magazine<\/a> published an <a href=\"https:\/\/redmondmag.com\/Articles\/2016\/02\/24\/PowerShell-Improved-Security.aspx\">article on PowerShell security<\/a> quoting my post on <a href=\"https:\/\/adsecurity.org\/?p=2604\">Detecting Offensive PowerShell Attack Tools<\/a>.<br \/>\nThe same <a href=\"https:\/\/mcpmag.com\/articles\/2016\/02\/24\/improved-security-powershell.aspx\">article also ran on MCPMag.com<\/a>.<\/li>\n<li><a href=\"http:\/\/www.itworldcanada.com\/\">IT World Canada<\/a> reached out to me in late 2015 to help with an <a href=\"http:\/\/www.itworldcanada.com\/article\/it-not-doing-enough-to-secure-active-directory-says-expert\/380201\">article on Active Directory attack &amp; defense<\/a>.<\/li>\n<li>I<a href=\"http:\/\/www.itworldcanada.com\/\">IT World Canada<\/a> also requested comments for a second story titled: &#8220;<a href=\"http:\/\/www.itworldcanada.com\/article\/22-tips-for-preventing-ransomware-attacks\/380246\">22 tips for preventing ransomware attacks<\/a>&#8220;.<\/li>\n<\/ul>\n<p>To contact Sean, please use the <a href=\"https:\/\/adsecurity.org\/?page_id=293\">contact page<\/a> or email\u00a0 s e a n \/@\\ ADSecurity.org<\/p>\n<p><em>ADSecurity.org is Sean&#8217;s personal website and reflects his own views.<br \/>\nAll trademarks and copyrights belong to their owners.<br \/>\n<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Interested in securing your Active Directory and Entra ID environment? Contact us! Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) \/ Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). Sean is a recognized global expert &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?page_id=8\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-8","page","type-page","status-publish","hentry","nodate","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/pages\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8"}],"version-history":[{"count":52,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/pages\/8\/revisions"}],"predecessor-version":[{"id":5027,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/pages\/8\/revisions\/5027"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}