1. X
  2. Sean Metcalf
Log inSign up
Sean Metcalf
22.9K posts
Image
user avatar
Sean Metcalf
@PyroTek3
Identity Security Architect @ TrustedSec. Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Co-Host @ Enterprise Security Weekly. He/Him. #BLM
4°08'15.0N 162°03'42.0E
adsecurity.org
Joined August 2014
684
Following
36.8K
Followers
RepliesRepliesMediaMedia

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Sean Metcalf
    @PyroTek3
    Jun 3, 2020
    To my black family, friends, and people seeing this: I love you You matter I'm here for you #BlackLivesMatter
  • user avatar
    Sean Metcalf
    @PyroTek3
    Dec 3, 2019
    Dentist: "Have you been flossing?" Me: .......... Dentist: .......... Me: "Do you ensure all of your web account passwords are unique, especially for things like bank websites?" Dentist: .......... Me: .......... Dentist: "So, see you in 6 months?" Me: "Sure"
  • user avatar
    Sean Metcalf
    @PyroTek3
    Jan 9, 2024
    IMO, Infosec fails when we do stuff like this. reddit.com/r/antiwork/com…
    Image
    148K
  • user avatar
    Sean Metcalf
    @PyroTek3
    Jul 29, 2024
    In today's WTF?!?!? moment When a ESXi server is domain-joined, it assumes any "ESX Admins" group & its members should have full admin rights. So.... anyone who can create & manage a group in AD, can get full admin rights to the VMware ESX hypervisors! microsoft.com/en-us/security…
    Image
    GIF
    Image
    This post is unavailable.
    371K
  • user avatar
    Sean Metcalf
    @PyroTek3
    Aug 7, 2025
    Active Directory computers should be reviewed about once a year. Old operating systems can hold back security progress like keeping SMBv1 and NTLMv1 active. Inactive computers should be discovered and disabled when no longer in use (and eventually removed). The OperatingSystem &
    Image
    80K
  • user avatar
    Sean Metcalf
    @PyroTek3
    Sep 16, 2022
    Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all. docs.microsoft.com/en-us/azure/ac… 1/3
    Image
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Dec 12, 2018
    Patch your Domain Controllers running DNS (typical config, so most orgs) ASAP. DNS remote code execution vulnerability which runs as LocalSystem on Windows DNS server (usually a DC). portal.msrc.microsoft.com/en-US/security…
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Mar 8, 2018
    Updated ADSecurity posts w/ event IDs to focus on when enabling logging & why they matter. Securing Windows Workstations: adsecurity.org/?p=3299 Securing Domain Controllers: adsecurity.org/?p=3377 I'll work on getting this into a consolidated post on recommended event auditing.
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Jul 30, 2025
    If you have Active Directory Certificate Services (ADCS) in your environment, run Locksmith now! In Active Directory Security Assessments, we have found critical security issues in *most* ADCS configurations. The great thing about Locksmith is that it doesn't just highlight the
    Image
    67K
  • user avatar
    Sean Metcalf
    @PyroTek3
    Nov 16, 2019
    Reason #317 why Admin workstations are now required for secure AD administration. RDP from a standard user workstation to a server using DA creds is not secure, even when using MFA (once DA username & pw are discovered, attacker can connect via LDAP which won’t require MFA).
    user avatar
    b33f | 🇺🇦✊
    @FuzzySec
    Nov 16, 2019
    I wrote up a quick POC, RemoteViewing, to demo RDP credential theft (adapted from @0x09AL post => mdsec.co.uk/2019/11/rdpthi…) using EasyHook and Donut ☠️🖥️. More details on GitHub => github.com/FuzzySecurity/…
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Jan 1, 2018
    New ADSecurity.org post: "Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory" Provides some attack scenarios and mitigation. If you have RODCs in your #ActiveDirectory environment, you should read this. adsecurity.org/?p=3592
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Nov 10, 2017
    Slides from my Blue Hat talk today on "Active Directory Security: The Journey" now posted on ADSecurity.org. I cover history of AD security features, enterprise application AD permission issues, and discuss Microsoft's AD security guidance. adsecurity.org/?page_id=1352
    Image
  • user avatar
    Sean Metcalf
    @PyroTek3
    Dec 20, 2021
    Keyboard walking or pattern passwords are easily guessed. Attackers include these types of password since admins use them (they certainly look random and complex) and are often used as service account passwords. Image reference article: wpengine.com/resources/pass…
    Image
    You’re unable to view this Post because this account owner limits who can view their Posts. Learn more
  • user avatar
    Sean Metcalf
    @PyroTek3
    Mar 13, 2019
    "TLDR: You can sniff BitLocker keys in the default config, ... TPM1.2 or TPM2.0 device, using a dirt cheap FPGA (~$40NZD) and now publicly available code,.... After sniffing, you can decrypt the drive. Don’t want to be vulnerable ...? Enable additional pre-boot authentication."
    This Post is from an account that no longer exists. Learn more
Advertisement
Advertisement