Sean Metcalf @PyroTek3 Twitter profile

Pinned Tweet

Sean Metcalf

@PyroTek3

4 years

To my black family, friends, and people seeing this: I love you You matter I'm here for you #BlackLivesMatter

6

3

120

Last Seen Profiles

@KrajewskaSylwia

@jheviam

@Ranti_Putri1

@ihju1130

@kaimeariver

@AngelaHarw28270

@Havas

@QUERlCH

@cachonditatv

@davearossiter

@DietzandWatson

@craicmatamaitic

@MercedesAMGF1BR

@TheSavage_Mojo

@kieshanotkyla

@VitalConnect

@Ranti_Putri1

@AlexBuckle85133

@WeAreLDC

@joypa98

@charlie_bath

@MustangsRene

@RVCSD

@MarkTravel

@stw_pdg

@feroz611

@Djoe_V2

@Novawaterksa

@markocantdunk

@Jeffnwest

@paisleypudge

@tomacontrolvzla

@AndrewSkilleter

@RTELateLateShow

@rohitchauhan

@AntonSpisak

Sean Metcalf

@PyroTek3

4 years

Dentist: "Have you been flossing?" Me: .......... Dentist: .......... Me: "Do you ensure all of your web account passwords are unique, especially for things like bank websites?" Dentist: .......... Me: .......... Dentist: "So, see you in 6 months?" Me: "Sure"

26

1K

4K

Sean Metcalf

@PyroTek3

5 months

IMO, Infosec fails when we do stuff like this.

30

132

2K

Sean Metcalf

@PyroTek3

2 years

Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all. 1/3

19

304

1K

Sean Metcalf

@PyroTek3

5 years

Patch your Domain Controllers running DNS (typical config, so most orgs) ASAP. DNS remote code execution vulnerability which runs as LocalSystem on Windows DNS server (usually a DC).

17

946

1K

Sean Metcalf

@PyroTek3

6 years

Updated ADSecurity posts w/ event IDs to focus on when enabling logging & why they matter. Securing Windows Workstations: Securing Domain Controllers: I'll work on getting this into a consolidated post on recommended event auditing.

16

581

948

Sean Metcalf

@PyroTek3

5 years

Reason #317 why Admin workstations are now required for secure AD administration. RDP from a standard user workstation to a server using DA creds is not secure, even when using MFA (once DA username & pw are discovered, attacker can connect via LDAP which won’t require MFA).

b33f | 🇺🇦✊

@FuzzySec

5 years

I wrote up a quick POC, RemoteViewing, to demo RDP credential theft (adapted from @0x09AL post => ) using EasyHook and Donut ☠️🖥️. More details on GitHub =>

7

390

841

12

354

848

Sean Metcalf

@PyroTek3

6 years

New post: "Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory" Provides some attack scenarios and mitigation. If you have RODCs in your #ActiveDirectory environment, you should read this.

11

590

816

Sean Metcalf

@PyroTek3

7 years

Slides from my Blue Hat talk today on "Active Directory Security: The Journey" now posted on . I cover history of AD security features, enterprise application AD permission issues, and discuss Microsoft's AD security guidance.

12

400

755

Sean Metcalf

@PyroTek3

2 years

Keyboard walking or pattern passwords are easily guessed. Attackers include these types of password since admins use them (they certainly look random and complex) and are often used as service account passwords. Image reference article:

10

304

733

Sean Metcalf

@PyroTek3

5 years

"TLDR: You can sniff BitLocker keys in the default config, ... TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code,.... After sniffing, you can decrypt the drive. Don’t want to be vulnerable ...? Enable additional pre-boot authentication."

DoI

@0x446f49

5 years

New article is up :-D Stealing encryption keys for bitlocker, for both TPM1.2 and TPM2.0 devices. Source code included ^_^

14

489

738

9

399

684

Sean Metcalf

@PyroTek3

3 years

I recently taught my kids to reply "ACK" when I tell them something & I need to know they heard me. "We're leaving in 10 minutes" "ACK" "ACK" I haven't told my wife to expect this or what it means 😄

41

30

642

Sean Metcalf

@PyroTek3

4 years

Lot going on this week, so let's focus on some positive. Review Active Directory security posture Detect Kerberoasting Detect Password Spraying Configuring AD Honeypot Accounts

2

183

581

Sean Metcalf

@PyroTek3

5 years

Hi, I’m Sean. I don’t have a degree. I have learned everything I know by reading, on the job experience, studying for industry certifications, & playing around in lab environments. And a bunch of guesswork. Don’t let the lack of a degree hold you back.

Brent White / We Hack People

@brentwdesign

5 years

It's sad to me the number of super talented people that I know and meet that are scared away from a career in #CyberSecurity just because they don't have a degree.

41

46

241

11

99

573

Sean Metcalf

@PyroTek3

5 years

My #BSidesCharm talk "You Moved to Office 365, Now What?" slides & video posted. I cover key Microsoft Cloud (Azure AD & Office 365) security controls and recommendations. Slides (& other presentations): Video:

12

234

581

Sean Metcalf

@PyroTek3

7 years

After an extended delay, the ADSecurity unofficial Mimikatz guide is now current & updated for #Mimikatz version 2.1.1 (November 28, 2017). Includes all modules & commands.

6

394

568

Sean Metcalf

@PyroTek3

6 years

Slides from my #DerbyCon talk "From Workstation to Domain Admin..." are now on . Slides: Talk Video:

4

281

568

Sean Metcalf

@PyroTek3

3 years

Tweet Thread on Resumes & Interviewing & things I look for (IT/Infosec focused). I have likely seen hundreds of resumes (aka CVs) and interviewed many dozens of people in various positions. Here's what I've learned.

9

130

499

Sean Metcalf

@PyroTek3

5 years

Please share in this thread some defensive techniques that are relatively simple to configure/deploy that has a high success rate (low false positives). I'll start: * Detect Kerberoasting: * Detect PW Spraying: #BlueTeam

52

213

501

Sean Metcalf

@PyroTek3

3 years

Here's the really crazy thing: NO service account should be in Domain Admins in 2021. Take a journey with me in this Thread to see why...

Sean Metcalf

@PyroTek3

3 years

Your occasional reminder that the following do not require AD admin (DA, etc) rights: * Cisco * Exchange * LDAP Bind * SQL * VMWare (& related) * Accounts need local admin on workstations (use Workstation Admins) * Accounts need local admin on servers (use Server Admins)

19

108

420

19

168

501

Sean Metcalf

@PyroTek3

6 years

New post on how to detect Password Spraying using Domain Controller logging (4625 & 4771), domain computer logging (4648), & Active Directory attributes. Enjoy!

Trimarc

@TrimarcSecurity

6 years

Trimarc Research recently published how to detect Password Spraying. Includes Domain Controllers & domain-joined computers logging configuration with event ID correlation rules. We also include a PowerShell command to detect in Active Directory (LDAP).

1

127

254

2

254

484

Sean Metcalf

@PyroTek3

2 years

1st day at Black Hat and a vendor described Kerberos Golden Tickets to me 😆

38

9

483

Sean Metcalf

@PyroTek3

6 years

Slides for my @BlackHatEvents talk "From Workstation to Domain Admin: Why Secure Administration isn't Secure and How to Fix it" from earlier today are now uploaded to . Enjoy! #BlackHat2018

11

259

476

Sean Metcalf

@PyroTek3

2 years

Even better, remove Authenticated Users from "Add workstations to domain" rights as set in the Default Domain Controllers Policy GPO (default). Note: anyone with the ability to create computer objects in OUs can still "pre-create" the object & join a computer with the same name.

Rob Fuller

@mubix

2 years

One of the smallest changes with huge effect you can make to Active Directory to help secure it against a LOT of attack paths is changing the attribute ms-DS-MachineAccountQuota = 0. Do this now, do it on Monday, but adds a pretty decent barrier to many attack paths.

10

143

523

6

142

469

Sean Metcalf

@PyroTek3

6 years

New blog post highlighting a serious #ActiveDirectorySecurity issue identified by @tifkin_ presented @DerbyCon along w/ @harmj0y & @enigma0x3 Many have this issue: "Domain Controlller Print Server + Unconstrained Kerberos Delegation = Pwned AD Forest"

Domain Controller Print Server + Unconstrained Kerberos Delegation = Pwned Active Directory Forest

At DerbyCon 8 (2018) over the weekend Will Schroeder (@Harmj0y), Lee Christensen (@Tifkin_), & Matt Nelson (@enigma0x3), spoke about the unintended risks of trusting AD. They cover a number of...

adsecurity.org

2

311

471

Sean Metcalf

@PyroTek3

4 years

If you followed me for tech, stay for the human related content that is my current focus. I can't tech right now. I didn't join Twitter for followers, but learn tech/infosec & connect with amazing people Take this time to learn about others & their struggle & be empathetic

12

41

435

Sean Metcalf

@PyroTek3

3 years

My take: Many Azure AD (AAD) environments are repeating same mistakes as they did with Active Directory. Improve AAD Security: 1. Use PIM to control AAD roles (limit permanent members) 2. Only admin accounts in AAD roles 3. Ensure cloud admins use admin systems Thread 1/3

7

127

442

Sean Metcalf

@PyroTek3

3 years

Here's the list of Blue Team folks to follow on Twitter. I am putting this together as a reference slide for my @BlueTeamCon keynote on Saturday. I created a Twitter list with these names also (updating now). I will update these references when possible

Sean Metcalf

@PyroTek3

3 years

In ~3 hours I have ~100 people on this list. I still have room on my slide, so who's missing & why?

59

76

347

23

176

444

Sean Metcalf

@PyroTek3

4 years

#ActiveDirectorySecurityTips Run this AD module cmd: Get-ADGroupMember 'Administrators' -Recursive | % {Get-ADUser $_ -prop ServicePrincipalName} | Where {$_.ServicePrincipalName} Investigate & remove any SPNs on 'people' accounts. Determine why service accounts are AD admins.

2

153

439

Sean Metcalf

@PyroTek3

3 years

Ransomware & the recent SolarWinds attacks take advantage of environment misconfigurations & over-privileged systems. We published 20 Active Directory security checks you can perform (& include a PowerShell script to collect data) to improve AD security.

Securing Active Directory: Performing an Active Directory Security Review

During the Trimarc Webcast on June 17, 2020, Sean Metcalf covered a number of Active Directory (AD) components and areas that should be reviewed for potential security issues. The presentation...

www.hub.trimarcsecurity.com

4

156

429

Sean Metcalf

@PyroTek3

5 years

Faking an AD account password change is possible (including on the krbtgt account), but detectable. Check "User must change password at next logon", Apply, uncheck, Apply. Boom, password last set date is changed, but the actual password is not. UnicodePWD = password attribute

10

163

426

Sean Metcalf

@PyroTek3

7 years

Scanning for #ActiveDirectory Privileged Accounts Admin rights are granted by more than groups. Who are your Admins?

4

282

414

Sean Metcalf

@PyroTek3

6 years

Calling all vendors that "require" their service account to be in Domain Admins. Cisco updated their process and documentation to show customers how a product can work without elevated AD rights. Your move.

Sean Metcalf

@PyroTek3

6 years

@HeyCisco Thank you very much Cisco! This is how you help organizations become more secure. Update documentation to enable customers to shift way from service accounts in Domain Admins.

1

27

86

11

205

420

Sean Metcalf

@PyroTek3

3 years

Your occasional reminder that the following do not require AD admin (DA, etc) rights: * Cisco * Exchange * LDAP Bind * SQL * VMWare (& related) * Accounts need local admin on workstations (use Workstation Admins) * Accounts need local admin on servers (use Server Admins)

19

108

420

Sean Metcalf

@PyroTek3

5 years

After over a year of battling with serious health issues, my Dad passed away this evening. It’s been rough the past few months watching him decline and see his sharp mind disappear. In lieu of flowers, please be awesome to each other & tell your loved ones how you feel.

105

14

419

Sean Metcalf

@PyroTek3

1 year

My kid is interested in how visible things posted on the internet are. So please do me a favor & if you see this, reply where in the world you are. Retweet for reach. #DinnerConversation

1K

219

403

Sean Metcalf

@PyroTek3

5 years

Slides & Video for my #DerbyCon talk on advanced #ActiveDirectorySecurity topics now posted. I cover: * Most common AD Security issues * Offline DC attacks that aren't logged (thanks @MGrafnetter !) * Detecting & Breaking AD Recon Slides & Video Link:

5

205

411

Sean Metcalf

@PyroTek3

4 years

Fresh off the press! Trimarc providing a free PowerShell script to gather data to identify potential AD security issues. Article includes some Trimarc recommendations as well: Here's the webcast where I walked through these items:

Trimarc

@TrimarcSecurity

4 years

Trimarc just released a free PowerShell script "Invoke-TrimarcADChecks" that Sean Metcalf ( @PyroTek3 ) covered in his recent Webcast Download the script along with what it gathers, what to review, & Trimarc recommendations

5

190

442

8

178

399

Sean Metcalf

@PyroTek3

5 years

Kerberos delegation = AD Account impersonation. Convert accounts configured with unconstrained delegation to constrained. Configure AD admin accounts (pref all admin accounts) with "Account is Sensitive and cannot be delegated" to protect them against Kerberos delegation attacks.

3

191

394

Sean Metcalf

@PyroTek3

3 years

Exploit code is public You must patch all Domain Controllers (Dec 8th patch) AND set following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc Set NonForwardableDelegation to 0 Test before setting Regkey is set in Feb 2021 patch

Alberto Solino

@agsolino

3 years

Just merged @jakekarnes42 implementation CVE-2020-17049 (aka Kerberos Bronze Bit Attack). Great stuff and thorough explanations in the blogposts. Great research Jake! Enjoy!

0

112

253

6

164

393

Sean Metcalf

@PyroTek3

6 years

"If [Kerberos] preauthentication isn’t enabled, an attacker can send an AS-REQ for any user that doesn’t have preauth required and receive a bit of encrypted material back that can be cracked offline to reveal the target user’s password."

5

205

385

Sean Metcalf

@PyroTek3

2 years

Would you be interested in an end of year wrap-up that highlights the biggest issues we see in Active Directory, Azure AD environments? Sort of a “State of Identity Security” year in review - biggest issues. What’s trending, etc. What sort of information would you want to see?

22

20

390

Sean Metcalf

@PyroTek3

8 years

Securing Windows Workstations: Developing a Secure Baseline. A collection of the best methods to secure Windows

9

268

384

Sean Metcalf

@PyroTek3

3 years

Since moving away from AD is likely years away (Azure AD, etc), run Bloodhound. Also run this free PowerShell script I published with key AD security items to review/fix. Follow the recommendations in this post & level up your AD security posture!

Rob Fuller

@mubix

3 years

If you are on a Blue Team, or IT Team, and you aren't running BloodHound REGULARLY, you are doing yourself a disservice. As a CTO I would either get rid of AD, or have BloodHound statistics be a top KPI/OKR for my org.

16

63

311

7

128

385

Sean Metcalf

@PyroTek3

5 years

Controlling AD Recon (Bloodhound)

Jeff McJunkin

@jeffmcjunkin

5 years

This morning in BloodHoundGang Slack () somebody asked how to stop BloodHound data gathering. Our answer? Don't focus on specific tools, focus on 1) gathering attack path info as a defender, *AND* 2) stop users from running arbitrary EXE's (1/2)

2

35

92

4

141

383

Sean Metcalf

@PyroTek3

10 months

So… DEFCON is cancelled tonight for real. All events & activities at the forum are closed.

5

13

373

Sean Metcalf

@PyroTek3

6 years

Advice to a younger me: * Travel & see new places * Save $1,000 in the bank & don't touch it. When you need it, you'll REALLY need it. * Learn to code. Something. Anything. Python, PowerShell, etc. * Have an idea? Start a business (start on side). * Fail. And learn from it.

9

98

362

Sean Metcalf

@PyroTek3

1 year

Active Directory continues to be targeted by attackers. Improve AD security in just weeks 1. Check your AD for common security issues 2. Review & implement recommendations in this free paper on how to quickly level up AD security

Jen Easterly🛡️

@CISAJen

1 year

🚨With our partners @NSACyber , @FBI , @CyberGovAu , @Cybercentre_ca , @NCSC , & NCSC New Zealand, we urge all organizations—especially critical infrastructure owners & operators—to read this Joint Advisory & mitigate your risk to PRC malicious cyber activity:

6

66

190

1

90

361

Sean Metcalf

@PyroTek3

5 years

We find accounts with passwords in AD account attributes about 15% of the time during assessments. Admins have assumed that the attributes were only visible through AD admin tools. Sometimes these accounts are privileged.

Direwolf20

@Direwolf20

5 years

@pamelarosiedee @PyroTek3 Recently I did work for a company who made all their service accounts domain admins. “It’s safer that way” they said. They also put the password in the description field. You know, the one that domain users have read access to? “Yea but we’re the only ones with ADUC”

9

29

94

13

114

347

Sean Metcalf

@PyroTek3

5 years

Today at Black Hat @markmorow & I presented on "Attacking & Defending the Microsoft Cloud." Slides are now available to download: We covered several attacks (& defense): password spray, token theft, password reuse, on-prem cloud integration, & more!

10

155

350

Sean Metcalf

@PyroTek3

4 years

I recently was asked for some good reasons why users should not have local admin rights to the workstation. The attached image includes my initial response. Admin accounts should not have local admin to their workstations either - separate account(s) should be used to manage

11

118

345

Sean Metcalf

@PyroTek3

3 years

In ~3 hours I have ~100 people on this list. I still have room on my slide, so who's missing & why?

Sean Metcalf

@PyroTek3

3 years

Who are your favorite InfoSec defense focused Twitter accounts to follow & why? Call this a reverse FF. #BlueTeamCon

26

55

246

59

76

347

Sean Metcalf

@PyroTek3

4 years

Just posted how to escalate to Domain Admin in Azure AD Domain Services (Microsoft’s hosted Active Directory) leveraging Shay Ber’s DNSAdmin trick. Interesting thing about this is customers are not supposed to have or be able to get Domain Admin rights

1

163

346

Sean Metcalf

@PyroTek3

5 years

If your Active Directory minimum password length is less than 10 characters (AD default is 7), this is the perfect time to work to get that increased. Password spraying is a real threat, as is Kerberoasting. Small password lengths are dangerous on modern networks.

10

190

339

Sean Metcalf

@PyroTek3

5 years

I am really excited about my Active Directory security talk tomorrow at 11am ( #DerbyCon Track 1) I am covering: * Top 15 Most Common AD Security Issues Trimarc Discovers * Tracking/Breaking AD Recon * Offline Domain Controller Attacks * Securing AD must do's

11

55

338

Sean Metcalf

@PyroTek3

7 years

Slides from my @BSidesCharm talk posted on #ActiveDirectory threat hunting: Video & Slides:

3

221

332

Sean Metcalf

@PyroTek3

6 years

This past weekend, I gave a non-tech talk @BSidesCharm called "FailTime: Failing Towards Success". Many topics covered - my failures, what I've learned & advice. Also includes my Life Tips. Slides include talk notes. Slides: Video:

9

126

326

Sean Metcalf

@PyroTek3

2 years

How many user accounts should be in Global Administrator in Azure AD? The answer is NONE. Create new admin accounts in your tenant "onmicrosoft" account & require MFA (Security Defaults/Conditional Access/etc). Add Azure AD P2 licenses for admin accounts & enable Azure AD PIM.

Sean Metcalf

@PyroTek3

2 years

How many SQL service accounts should be in Domain Admins? The answer is NONE. Check Domain Admins, Administrators, & Enterprise Admins membership & remove the following from these groups: * Exch (Exchange) * SQL * VMAdmin (VMWare) * Azure/Azure AD * VPN

5

44

198

10

94

330

Sean Metcalf

@PyroTek3

1 month

Microsoft has recreated the Active Directory Forest in the cloud 😆 Tenants (domains) now can be joined together (in a cloud forest) (and remember, it’s Entra ID, not Azure Active Directory)

Scott Schnoll

@schnoll

1 month

Today we announced that new multi-tenant organization capabilities within Microsoft 365 are now generally available #Microsoft365 #MTO

4

43

122

21

57

326

Sean Metcalf

@PyroTek3

2 years

When your kid really wants a cell phone to be able to make “emergency calls” because all their friends have one and you finally give in.

23

14

321

Sean Metcalf

@PyroTek3

4 years

New blog post on the Microsoft Cloud: What is Azure Active Directory? Post covers what Azure AD is, how it compares to on-prem Active Directory, connecting via PowerShell, and password spraying attacks, mitigation, & detection.

5

166

326

Sean Metcalf

@PyroTek3

4 years

We see passwords in SYSVOL on Active Directory Security Assessments about 15% of the time. They have usually been set & forgotten. Impact ranges from server admin to DA to full compromise of sensitive databases. There is no reason for passwords in SYSVOL (in GPP or scripts).

3

88

323

Sean Metcalf

@PyroTek3

4 years

My Black Hat USA talk with @markmorow “Attacking & Defending the Microsoft Cloud (Azure AD & Office 365)” is now on YouTube: Slides here: #BlackHat #AzureAD #Office365 #ProtectAcme

0

164

313

Sean Metcalf

@PyroTek3

3 years

SolarWinds is only the latest system attack that results in a large scale compromise. Attackers target these systems because they have widespread and long-standing access. Any system that has some level of admin rights across your environment is vulnerable. THREAD follows

6

95

318

Sean Metcalf

@PyroTek3

6 years

New post on my talks at #BlackHat2018 & #DEFCON26 this past week in Vegas. Slides are posted for both talks now.

4

160

311

Sean Metcalf

@PyroTek3

1 year

Microsoft recently reached out to get my perspective of identity security (Active Directory & Azure AD). Here's the interview: TLDR: Many of the issues we have seen with Active Directory are in Azure AD as well from a customer perspective.

Strategies for securing identities in Azure Active Directory with Sean Metcalf

Trimarc Founder and Chief Technology Officer Sean Metcalf talks about Active Directory & Azure AD security and strategies to better protect identities.

techcommunity.microsoft.com

4

82

310

Sean Metcalf

@PyroTek3

4 years

This is a good time to remind people to replace old tech language: * master to Primary * slave to Secondary * blacklist to Block list * whitelist to Allow list Language we use matters. If you question why "blacklist" is there, it's based on definitions of the word "black"...

14

137

303

Sean Metcalf

@PyroTek3

3 years

Detecting the first two Active Directory post access techniques: 1.Password Spray Detection: 2. Kerberoast Detection:

Trimarc Research: Detecting Kerberoasting Activity

Kerberoasting can be an effective method for extracting service account credentials from Active Directory as a regular user without sending any packets to the target system. This attack is effective...

www.hub.trimarcsecurity.com

strandjs - [email protected]

@strandjs

3 years

What are your first 5 Active Directory post access techniques in a red team? Starting list no particular order: 1. Password Spraying 2. Kerberoasting 3. File search (passwords, backups, etc.) 4. LLMNR/mDNS/NBNS 5. Insecure mailbox search Yours?

27

140

675

2

86

308

Sean Metcalf

@PyroTek3

6 years

Slides from my @nola_con presentation on #ActiveDirectory security are on : Covers common AD Security issues & how to fix them, discovering problematic AD ACL permissions, & some attack detection (kerberoasting & password spray).

4

161

304

Sean Metcalf

@PyroTek3

6 years

I am a Microsoft MVP once again! Thank you all for your support & kind words.

35

14

299

Sean Metcalf

@PyroTek3

2 years

Well, it was a good run!

47

5

296

Sean Metcalf

@PyroTek3

2 years

PSA: Review installed software on your Domain Controllers. DCs don't need Chrome/Firefox installed, run management software (for agents), run SQL, run ADFS, run AAD Connect, etc. DCs should only be Active Directory servers. That's it. Anything else adds attack surface & risk.

8

76

295

Sean Metcalf

@PyroTek3

8 months

On-Prem Active Directory lives! Updates: * Improved confidential attributes security * Channel binding audit support * LDAP prefers encryption by default * Changes to default behavior of legacy SAM RPC password change methods * AES SHA256/384 Kerberos support

4

80

295

Sean Metcalf

@PyroTek3

5 years

#ActiveDirectorySecurityTips Run this AD module cmd: get-adgroupmember Administrators -Recursive | select DistinguishedName Ask Why? for: * Service accounts * Accounts/groups from another forest * Computer accounts (remove) * Normal users * Accounts with SPNs (work to remove)

4

111

295

Sean Metcalf

@PyroTek3

5 years

This is a fantastic reference for Active Directory LDAP queries.

0

101

295

Sean Metcalf

@PyroTek3

7 years

. @darkpawH & I spoke about the danger of not protecting Federation Servers (ADFS, etc) like Domain Controllers @defcon this year. CyberArk just published tools to do this with SAML (aka "Golden SAML"):

6

153

288

Sean Metcalf

@PyroTek3

7 years

Commonly overlooked: Change AD admin passwords yearly: default domain admin account (RID 500), DSRM on every DC, & KRBTGT. #ADSecurityTips

10

171

284

Sean Metcalf

@PyroTek3

6 years

The video of my #ActiveDirectory security talk @WEareTROOPERS from last week is now online! YouTube video: Slides (PDF):

TR18: Active Directory Security: The Journey

TROOPERS18: March 15, 2018 (at 10:30) in Track: AD SecurityFull Title: Active Directory Security: The JourneySpeaker:Sean Metcalflink:https://www.troopers.de...

www.youtube.com

Sean Metcalf

@PyroTek3

6 years

Thrilled to speak today at the 1st Active Directory track at the Troopers conference in Germany. Slides for my "Active Directory Security: The Journey" talk now posted on (version 2 of this talk). Thank you @WEareTROOPERS !

2

94

195

0

155

288

Sean Metcalf

@PyroTek3

4 years

Just posted my Azure AD to Azure "unanticipated" attack path leveraging "Elevate Access". Describes how a compromised Global Administrator (O365) account could compromise any/all Azure VMs, (including hosted Domain Controllers) with minimal/no logging.

6

140

285

Sean Metcalf

@PyroTek3

2 years

Based on what we have seen during Active Directory security assessments, if you have Active Directory Certificate Services (ADCS) in your environment, you want to download and run Locksmith to scan for ADCS security issues. Locksmith provides remediation as well!

Trimarc

@TrimarcSecurity

2 years

New tool release! Locksmith from @dotdotdotHorse . Jake recently gave a talk @WWHackinFest where he released a tool to identify and remediate common misconfigurations in Active Directory Certificate Services. #NCSAM Check out his slides and blog here:

1

60

183

1

57

286

Sean Metcalf

@PyroTek3

4 years

This Wednesday I’m presenting how to best secure your Microsoft Office 365 tenant (& Azure AD). I’m also including an “unanticipated” attack path based on cloud research I’ve been working on for the past 9+ months. Webcast covers Attack & Defense & blog posts will follow.

Trimarc

@TrimarcSecurity

4 years

Trimarc Webcast series continues with Trimarc Founder, Sean Metcalf ( @PyroTek3 ), this time focusing on Office365 & Azure AD Security Join us for "Securing Office 365 & Azure AD - Defending Your Tenant" May 27, 2020 from 1pm - 2pm (Eastern) Registration:

2

24

59

7

90

268

Sean Metcalf

@PyroTek3

8 years

#PowerShell Attack Tools, Mitigation, & Detection including PowerShell attack indicators

1

165

265

Sean Metcalf

@PyroTek3

11 months

That moment 10 mins after you finish a WebEx call on your phone 🤣

9

17

263

Sean Metcalf

@PyroTek3

5 years

My Troopers conference talk slides on Securing Administration are now uploaded to : (this is an updated version of my DerbyCon 2018 talk)

0

120

260

Sean Metcalf

@PyroTek3

8 years

Sneaky #ActiveDirectory Persistence Methods: Leveraging Group Policy to Retain Domain Admin

0

182

255

Sean Metcalf

@PyroTek3

4 years

My DEFCON Safe Mode talk on "Hacking the Hybrid Cloud" is recorded and submitted! Talk video & slides are scheduled for release on Thursday, August 6th & I will host a live Q&A on the 6th at 12:30pm (Pacific). Visit the DEFCON website for more info:

8

65

259

Sean Metcalf

@PyroTek3

7 years

"Sneaky Persistence #ActiveDirectory Trick #18 : Dropping SPNs on Admin Accounts for Later Kerberoasting" #Kerberoast

3

184

255

Sean Metcalf

@PyroTek3

5 years

I've been pushing for this for years (others too). I know it's been tough for Microsoft to break beyond 16. Passwords can now be 256 characters in the Microsoft Cloud (Azure AD)! Kudos to those within Microsoft that got this done! #ThankYou

21

99

260

Sean Metcalf

@PyroTek3

4 years

Microsoft recently released an installable Exchange Online PowerShell Module! Install-Module ExchangeOnlineManagement Update: Update-Module -Name ExchangeOnlineManagement -AcceptLicense -Force Not all cmdlets are fully updated yet (still in beta)

6

88

247

Sean Metcalf

@PyroTek3

2 years

Looking forward to presenting Quick Wins to help improve Active Directory security. Current agenda covers Kerberoast, Password Spray, ADCS, Kerberos Delegation, Dangerous Defaults, DC security, etc. Presentation is technically dense, prepare to take notes/screenshots!

Trimarc

@TrimarcSecurity

2 years

Want to learn about the "Top 10 Ways to Improve Active Directory Security Quickly"? Sean Metcalf @PyroTek3 , Tyler Robinson @tyler_robinson , & Darryl Baker @DFIRdeferred cover AD attacks & improving AD security June 23rd 3pm-4:15pm (ET) Register here:

8

26

83

5

62

253

Sean Metcalf

@PyroTek3

5 years

New article on Active Directory service accounts that are typically in privileged AD groups & guidance on how to get them out of Domain Admins. We find service accounts that shouldn't require privileged AD rights while performing AD Security Assessments.

5

128

249

Sean Metcalf

@PyroTek3

3 years

Who are your favorite InfoSec defense focused Twitter accounts to follow & why? Call this a reverse FF. #BlueTeamCon

26

55

246

Sean Metcalf

@PyroTek3

5 years

#ActiveDirectorySecurityTips Run this AD module cmd: get-aduser krbtgt -prop Created,PasswordLastSet,msDS-KeyVersionNumber * PW should change 2x every year. * If Created = PWLastSet, then work to change soon. * KeyVersionNum typically identifies how many times PW changed (n-1).

3

82

247

Sean Metcalf

@PyroTek3

5 years

Interested in learning more about Active Directory? has an entire reference section covering core AD concepts (including the MCM reading list): There's a Security section too!

4

100

246

Sean Metcalf

@PyroTek3

6 years

If you are looking to deploy Windows 10 & need security configuration guidance, the Microsoft Windows 10 security baseline is a great start. Link is to the Win10 v1803 security baseline: Thanks @AaronMargosis for continuing to put this guidance together!

3

122

244

Sean Metcalf

@PyroTek3

6 years

Pentesters, Red Teams, & Blue Teams: If you are only looking at Domain Admins & Enterprise Admins group membership, you are missing a lot. Query the domain Administrators group to get a more complete understanding of Active Directory administrators.

12

79

237

Sean Metcalf

@PyroTek3

6 years

If you were attempting to use GPO to control file extension association in Windows 10, v1709 prevents that from working. The following article describes how to generate an XML file & deploy via GPO to force files like .js, .wsh, .vbs, to open in notepad.

5

122

231

Sean Metcalf

@PyroTek3

6 years

I finally merged all my updates to the Kerberos Service Principal Name (SPN) type list on . I'm tracking over 150 SPNs (mostly enterprise apps). SPN Reference List: Kerberos Info:

Kerberos, Active Directory’s Secret Decoder Ring

Kerberos Overview Kerberos is a protocol with roots in MIT named after the three-headed dog, Cerberus. Named because there are 3 parties: the client, the resource server, and a 3rd party (the Key...

adsecurity.org

2

114

234

Sean Metcalf

@PyroTek3

8 years

Video & slides posted for my @defcon talk "Red Teaming #ActiveDirectory ": Covers AD recon & bypassing AD defenses

1

164

226

Sean Metcalf

@PyroTek3

8 years

Securing Domain Controllers to Improve Active Directory Security #ActiveDirectory & Domain Controller security GPOs

4

124

231

Sean Metcalf

@PyroTek3

6 years

Next month at Black Hat, I will show why most current Active Directory admin methods are insecure and how to securely perform administration in the real world.

Black Hat

@BlackHatEvents

6 years

Sean Metcalf ( @PyroTek3 ) will explore how common methods of domain administration fail, an attackers approach to exploit flaws, and ways to ensure a secure administration during his Briefing at #BHUSA

0

4

19

4

73

228