Skip to content
PwnDefend
  • Base
  • Comms Room
    • Customer Feedback
    • Company Information
    • Security Management
  • Services
    • Consulting Services
      • Enterprise Security Posture Assessment
      • Cyber Security Assurance & Security Testing Services
      • IT Security Healthchecks
      • Active Directory Assessment Services
      • Managed Remediation Services
    • Emergency Cyber Incident Response Support
    • Our Success Stories
    • Partner Services
  • Blog
  • Privacy
Defense

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Potential Actions

  • Reset all user account passwords twice (thanks @tazwake)
    • Reset all administrator passwords
    • Reset all service accounts passwords
  • Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
  • Reset all computer account passwords
  • Check the value of the computer account password change value
    • By default, it is 30 days, threat actors can change this to give themselves access using machine hashes for a longer duration. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
  • Reset all LAPS Passwords
  • Reset permissions on AdminSDHolders object
  • Revoke and re-issue all certificates from ADCS
  • Check for malicious scheduled tasks (thanks @SchizoDuckie)
  • Check for malicious WMI event filters
  • Check for malicious autoruns or other registry-based persistence mechanisms
  • Check for utilman style backdoors
  • Check for malicious printers/printer drivers (thanks @SchizoDuckie)
  • Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
  • Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
  • Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
  • Check for object changes around initial access/event timescales (thanks @IISResetMe)
  • Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
  • Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
  • Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
  • Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
  • Rotate LAPS credentials
  • Review Azure AD/AD Connect (thanks @infosecspy)
  • Harden Endpoints
  • Update AV
  • Deploy EDR
  • Deploy SYSMON
  • DNS Zone Integrity (Public and Private) (thanks to @jermuv)
  • Rote domain trust keys (thanks @DebugPrivilege)
  • Review potential RBCD Bakdoors (thanks @DebugPrivilege)
  • Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
  • Check Exchange (easy right?)
  • Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
    • https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
  • Review Active Directory Domains and Trusts (thanks @dragon199421)
  • Deploy new Domain Controllers (keep existing forest/domain metadata)
  • Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes) Read more “Post Compromise Active Directory Checklist” →

Recent Posts

  • Supplier Assurance Tools
  • Cyber Insurance: How would I decide to buy it or not?
  • Vulnerability Management Concerns by Role Type
  • How to use Putty as a SOCKS Proxy
  • Infrastructure Penetration Testing Realities

Recent Comments

No comments to show.

Archives

  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • March 2020
  • February 2020
  • January 2020
  • October 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018

Categories

  • Architecture
  • Breach
  • Company News
  • CTF
  • Defence
  • Defense
  • Education
  • Guides
  • Hacking
  • Leadership
  • OSINT
  • Reviews
  • Strategy
  • Threat Intel
  • Uncategorized
  • Vulnerabilities
Copyright (c) Xservus Limited