Sean Metcalf
@PyroTek3
Followers
37K
Following
42K
Media
2K
Statuses
22K
Identity Security Architect @ TrustedSec. Microsoft Certified Master #ActiveDirectory & former Microsoft MVP. Co-Host @ Enterprise Security Weekly. He/Him. #BLM
4°08'15.0N 162°03'42.0E
Joined August 2014
To my black family, friends, and people seeing this: I love you You matter I'm here for you #BlackLivesMatter
4
3
134
Blogs are up!
Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series! 1️⃣ @unsigned_sh0rt maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. https://t.co/Ai4TqTtc4O 🧵: 1/2
1
41
127
There is a super awesome bloodhound-like feature in PingCastle health check reports. It’s called “Control Paths.” It’s really really good. A little clunky and not nearly as verbose as bloodhound, but it gets the job done at finding low hanging fruit. PingCastle has built-in
8
25
129
We built UP Phone for the most serious situations and critical missions. But UP Phone isn't just for soldiers and spies. Ordinary people want and deserve privacy too.
0
4
29
⚡Adding Intune P2 features to Microsoft 365 E3 and E5 is getting a lot of well-deserved attention, but did you see the blip that isn't? Some Defender for Office P1 features are coming to E3 and E1 in 2026! 📧 https://t.co/E2FckLH2rc
4
5
29
What if you could confirm password reuse without cracking a single password? In this blog, @Coontzy1 shows how hash shucking leverages NTLM hashes to identify reuse across Kerbereros, NTLM, and cached credentials - and how to defend against it. Read now! https://t.co/zdAwSSo0LB
trustedsec.com
6
67
177
Let me blow your mind real quick: When you use Remote Desktop (RDP), Windows secretly takes screenshots of what you are doing. It’s called the RDP Bitmap Cache. To make the connection faster, Windows saves small tiles (images) of the remote screen to your hard drive in a bin
RDP Bitmap Cache.
183
2K
14K
Hiding your fungus damaged toenails? Get clear, healthy-looking nails with clinically proven NONYX!
0
1
17
Attending #GartnerIAM in Grapevine? Catch our session on Dec. 9 as @PyroTek3 of @TrustedSec and our own Bryan Patton team up to reveal the critical gaps attackers exploit in Active Directory and Entra ID, and how to build resilience. Learn more: https://t.co/KhjXieUAEf
0
2
5
Going to the Gartner Identity & Access Management Summit 2025 next week? Catch @PyroTek3 on Tuesday at 1:35PM. He'll be presenting, "Quest Software: Revealing Critical Security Gaps in Active Directory and Entra ID Environments". Mark your calendars! https://t.co/J5sTEic2ho
0
5
11
PSA now that Cloud PKI is included in E5 If you did a trial of Cloud PKI, please don't use the old setup Tear it all down and rebuild to ensure you are using proper keys backed by a hardware security module (HSM) There is no migration path: https://t.co/ohL9IeZ5Bb
4
20
104
A quick overview of VMware Private AI with NVIDIA - Or if you run VC9 it's stupid easy to get started with private AI in your data center. https://t.co/b5FUA4NK7r
vmiss.net
VMware Private AI Foundation with NVIDIA is VMware’s flagship approach to bringing generative AI and LLMs directly into the enterprise data center, without
0
1
9
Check out our own Microsoft Certified Master @PyroTek3 as he sits down with the @PetriFeed podcast, Petri Dish. They reveal top security risks, quick wins, and the real impact of AI on Identity Management. Watch the full episode now!
0
8
17
Omg finally!! I've been refreshing the Troopers YouTube page for so long lol 😂
@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube. "Finding Entra ID CA Bypasses - the structured way" @WEareTROOPERS
https://t.co/fAQ0aCreKj
0
5
23
This is very true. If, say, you have per-device local admin accounts but only need to use them when sitting in front of machines (or, conversely, only need to use them via RDP) please, please enforce that.
A built-in Windows/AD feature that provides immense ROI for internal security… + Logon restriction GPOs Deny logon locally Deny logon through Remote Desktop Services Deny access to this computer from the network Seriously not enough orgs using these
1
4
37
.@KimStrassel: “I shiver to think about how close we came to full-on censorship under this last administration.”
1K
12K
45K
A built-in Windows/AD feature that provides immense ROI for internal security… + Logon restriction GPOs Deny logon locally Deny logon through Remote Desktop Services Deny access to this computer from the network Seriously not enough orgs using these
8
15
279
ICYMI: Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach This article breaks down the most important Entra ID roles, including what should be considered Tier 0, Tier 1, etc. https://t.co/tLeGnI7got
trustedsec.com
2
38
126
Patch em
Critical Security Vulnerability in React Server Components CVE-2025-55182 and rated CVSS 10.0 The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack https://t.co/AMlp6yMPSZ
4
15
57
Always keep in mind that literally any form of MFA/2FA/2SA or cryptographic authentication takes basic password attacks off the table. (Including use of password spraying, bruteforcing, cred stuffing, abuse of passwords captured by info stealers, etc.) Which is a big deal.
We spend a lot of time talking about OAuth phishing, token theft from malware, adversary in the middle phishing and other novel attacks, and rightly so, but it is important to remember that MFA is still an extremely valuable control. Modern MFA reduces the risk of identity
1
10
57
Sophie, a proud American who cherishes her homeland’s values of freedom and opportunity, embarks on a life-changing quest from the USA to the slums of India. Her adventure celebrates the spirit of gratitude and empathy while honoring the love for her American home.
17
34
388
Last time, we looked at Group Managed Service Accounts (GMSAs): https://t.co/VCVWZkU42J This week let's look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let's
Let's talk about Group Managed Service Accounts (GMSAs). User accounts created to be used as service accounts rarely have their password changed. Group Managed Service Accounts provide a better approach (starting in the Windows 2012 time-frame). The password is managed by AD and
0
2
6
Humble Bundle have a lot of No Starch Press books on sale rn, you can grab Hacking APIs for $20 or the whole bundle for $40
15
95
637
My talk from @defcon is finally out! Watch 'Secure Code Is Critical Infrastructure: Hacking Policy for Public Good' here: https://t.co/hYAVWEKvIe If you like it, please give it a thumbs up. 👍
4
18
106