Skip to Main Content

Sean Metcalf

Identity Security Architect

Experience:

Sean Metcalf is one (1) of about 100 people in the world who has attained the Microsoft Certified Master Directory Services certification and boasts 17 years of experience on the Microsoft platform, 10 of which involved Microsoft Identity security. Metcalf has presented personal security research on Active Directory and Azure AD/Entra ID attacks and defense at Black Hat, Blue Team Con, BSides, DEF CON, DerbyCon, TROOPERS, and the internal Microsoft BlueHat security conference. He is also a co-host on the weekly podcast “Enterprise Security Weekly”.

Additionally, Metcalf has performed security research that helps improve how both Red Teams and Blue Teams operate and collaborate. Research includes developing methods that enable Golden Tickets to work across domains in a multiple domain AD and to detect forged Kerberos tickets (including Golden Tickets).

Metcalf runs a well-known enterprise security blog, ADSecurity.org, showcasing deep technical content regarding AD security, attacks, attack mitigation, attack detection, and a comprehensive guide to Mimikatz that also includes a detailed command reference. The blog receives ~600k unique visitors a year.

Education and Certifications:

Microsoft Certified Master Directory Services (AD and MCSE (NT 4 through 2012)

Industry Contributions:

2015: Published original method to detect Golden Tickets

2016: Published methods to better detect PowerShell attack activity

2017:

  • Published first effective detection of Kerberoasting with no false positives (still effective)
  • Published password spray (AD) detection when attackers use Kerberos
  • Presented at DEFCON how to forge federation tokens (aka “GoldenSAML”) and compromise AD through Azure AD Connect (on-premises)

2018:

  • Published how most read-only domain controller deployments are vulnerable and how to improve
  • Presented how to bypass most enterprise password vault security

2019: Presented on Microsoft Cloud (Azure AD and Microsoft Office 365) attack and defense at Black Hat and DEFCON Cloud Security Village

2020: Published information on how to compromise Azure instances (VMs) from Microsoft Office 365

2021:

  • Thanked during CISA Director’s Black Hat keynote for SolarWinds help
  • “Stealth” contributor to BloodHound