Sean Metcalf (@PyroTek3) / X

Sean Metcalf

23K posts

Sean Metcalf

@PyroTek3

Identity Security Architect @ TrustedSec. Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Co-Host @ Enterprise Security Weekly. He/Him. #BLM

4°08'15.0N 162°03'42.0E

Joined August 2014

Pinned
Sean Metcalf
@PyroTek3
Jun 3, 2020
To my black family, friends, and people seeing this: I love you You matter I'm here for you #BlackLivesMatter
Sean Metcalf
@PyroTek3
Dec 3, 2019
Dentist: "Have you been flossing?" Me: .......... Dentist: .......... Me: "Do you ensure all of your web account passwords are unique, especially for things like bank websites?" Dentist: .......... Me: .......... Dentist: "So, see you in 6 months?" Me: "Sure"
Sean Metcalf
@PyroTek3
Jan 9, 2024
IMO, Infosec fails when we do stuff like this. reddit.com/r/antiwork/com…
148K
Sean Metcalf
@PyroTek3
Jul 29, 2024
In today's WTF?!?!? moment When a ESXi server is domain-joined, it assumes any "ESX Admins" group & its members should have full admin rights. So.... anyone who can create & manage a group in AD, can get full admin rights to the VMware ESX hypervisors! microsoft.com/en-us/security…
GIF
371K
Sean Metcalf
@PyroTek3
Aug 7, 2025
Active Directory computers should be reviewed about once a year. Old operating systems can hold back security progress like keeping SMBv1 and NTLMv1 active. Inactive computers should be discovered and disabled when no longer in use (and eventually removed). The OperatingSystem &
80K
Sean Metcalf
@PyroTek3
Sep 16, 2022
Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all. docs.microsoft.com/en-us/azure/ac… 1/3
Sean Metcalf
@PyroTek3
Dec 12, 2018
Patch your Domain Controllers running DNS (typical config, so most orgs) ASAP. DNS remote code execution vulnerability which runs as LocalSystem on Windows DNS server (usually a DC). portal.msrc.microsoft.com/en-US/security…
Sean Metcalf
@PyroTek3
Mar 8, 2018
Updated ADSecurity posts w/ event IDs to focus on when enabling logging & why they matter. Securing Windows Workstations: adsecurity.org/?p=3299 Securing Domain Controllers: adsecurity.org/?p=3377 I'll work on getting this into a consolidated post on recommended event auditing.
Sean Metcalf
@PyroTek3
Jul 30, 2025
If you have Active Directory Certificate Services (ADCS) in your environment, run Locksmith now! In Active Directory Security Assessments, we have found critical security issues in *most* ADCS configurations. The great thing about Locksmith is that it doesn't just highlight the
67K
Sean Metcalf
@PyroTek3
Nov 16, 2019
Reason #317 why Admin workstations are now required for secure AD administration. RDP from a standard user workstation to a server using DA creds is not secure, even when using MFA (once DA username & pw are discovered, attacker can connect via LDAP which won’t require MFA).
b33f | 🇺🇦✊
@FuzzySec
Nov 16, 2019
I wrote up a quick POC, RemoteViewing, to demo RDP credential theft (adapted from @0x09AL post => mdsec.co.uk/2019/11/rdpthi…) using EasyHook and Donut ☠️🖥️. More details on GitHub => github.com/FuzzySecurity/…
Sean Metcalf
@PyroTek3
Jan 1, 2018
New ADSecurity.org post: "Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory" Provides some attack scenarios and mitigation. If you have RODCs in your #ActiveDirectory environment, you should read this. adsecurity.org/?p=3592
Sean Metcalf
@PyroTek3
Nov 10, 2017
Slides from my Blue Hat talk today on "Active Directory Security: The Journey" now posted on ADSecurity.org. I cover history of AD security features, enterprise application AD permission issues, and discuss Microsoft's AD security guidance. adsecurity.org/?page_id=1352
Sean Metcalf
@PyroTek3
Dec 20, 2021
Keyboard walking or pattern passwords are easily guessed. Attackers include these types of password since admins use them (they certainly look random and complex) and are often used as service account passwords. Image reference article: wpengine.com/resources/pass…
Sean Metcalf
@PyroTek3
Mar 13, 2019
"TLDR: You can sniff BitLocker keys in the default config, ... TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code,.... After sniffing, you can decrypt the drive. Don’t want to be vulnerable ...? Enable additional pre-boot authentication."