Playbooks
T1558Active Directory Compromise Response
A step-by-step playbook for responding to an Active Directory compromise — golden ticket detection, DCSync detection, Kerberoasting triage, ACL abuse response, and krbtgt password reset procedure.
View on Graph
What This Playbook Covers
- This playbook handles confirmed or suspected AD compromise. “Confirmed” means you have evidence that an attacker has gained Domain Admin privileges, extracted the AD database, or forged Kerberos tickets.
- It covers the four most common AD compromise scenarios: golden ticket, DCSync, Kerberoasting with privilege escalation, and ACL abuse. Each has distinct detection signatures and response procedures.
- The krbtgt password reset procedure (Section 5) is the most critical technical action in AD recovery. It invalidates all existing Kerberos tickets — including forged golden tickets.
- MITRE ATT&CK maps the impact phase to
T1558(Steal or Forge Kerberos Tickets) andT1003(OS Credential Dumping) for DCSync.
Phase 0: Determine the AD Compromise Type (0-15 minutes)
Before executing response actions, confirm which type of AD compromise you are dealing with.
Golden Ticket Detection
A golden ticket is a forged Kerberos TGT (Ticket-Granting Ticket) that grants Domain Admin access. The attacker creates it offline using the krbtgt account’s password hash — they do not need to be on the network to forge it.
Detection indicators:
| Indicator | Where to Check | What It Means |
|---|---|---|
| Kerberos TGT with lifetime > 10 hours | Event 4768 — TicketOptions and TicketEncryptionType | Default TGT lifetime is 10 hours. Golden tickets often have extended lifetimes (days, years). |
| Ticket encryption type mismatch | Event 4768 — TicketEncryptionType | Domain-joined systems use AES256. Golden tickets often use RC4 (the older, weaker encryption) because the attacker has the RC4 hash of krbtgt. |
| Anomalous TGT request for krbtgt | Event 4768 — Account Name = krbtgt$ | Normal krbtgt usage is infrequent. Multiple TGT requests for krbtgt indicates golden ticket usage. |
| TGT from non-DC to DC | Sysmon Event 3 — network connection from user workstation to DC on port 88 | Users should request TGTs via their DC’s Kerberos KDC service. If a workstation makes a direct Kerberos request with a forged ticket, it points to golden ticket use. |
| Logon with no preceding authentication | Event 4624 with LogonType 3 (network) but no preceding 4625 or 4776 | Golden tickets bypass authentication — the ticket itself is the credential. |
SPL query — detect golden ticket via extended TGT lifetime:
index=windows EventCode=4768
| eval ticket_hours = (TicketEndTime - TicketStartTime) / 3600000
| where ticket_hours > 12
| eval alert = "CRITICAL — TGT with lifetime " . round(ticket_hours, 1) . " hours — possible golden ticket for " . Account_Name
| table _time, Account_Name, TicketStartTime, TicketEndTime, ticket_hours, alert
| sort - ticket_hoursSPL query — detect RC4-encrypted TGT (non-AES):
index=windows EventCode=4768
| search TicketEncryptionType!="0x12" AND TicketEncryptionType!="0x17" (AES256/128 check)
| eval alert = "HIGH — TGT with non-AES encryption (" . TicketEncryptionType . ") — possible golden ticket for " . Account_Name
| table _time, Account_Name, TicketEncryptionType, TicketOptions, alertDCSync Detection
DCSync replicates the AD database from a Domain Controller to a requesting entity. Only Domain Controllers need this right. When a non-DC system requests AD replication, it is likely an attacker trying to dump all password hashes.
Detection indicators:
| Indicator | Where to Check | What It Means |
|---|---|---|
| DS-Replication-GetChanges and DS-Replication-GetChanges-All | Event 4662 — AccessMask containing DS-Replication-GetChanges | These rights are required for DCSync. Only DCs should have them enabled. Every DCSync attempt generates Event 4662. |
| Non-DC replication request | Event 4662 — SubjectUserName is not a Domain Controller account | DCSync from a workstation or server account is malicious. |
Mimikatz lsadump::dcsync usage | Process creation — mimikatz.exe or Invoke-Mimikatz with DCSync options | The specific PowerShell action lsadump::dcsync /user:krbtgt reveals the attacker targeting krbtgt. |
| High network traffic to DC on port 389 | Sysmon Event 3 — network connections to DC on LDAP/GC port | DCSync generates a large amount of LDAP traffic as it replicates the database. |
SPL query — detect replication request from non-DC:
index=windows EventCode=4662
| search AccessMask="*DS-Replication-GetChanges*"
| search SubjectUserName!="*$"
| eval alert = "CRITICAL — DCSync from non-computer account " . SubjectUserName . " — AD database replication"
| table _time, SubjectUserName, ObjectName, AccessMask, alert
| sort - _timeKerberoasting Detection
Kerberoasting requests a Kerberos service ticket for a service account, extracts the encrypted ticket, and cracks the service account password offline.
Detection indicators:
| Indicator | Where to Check | What It Means |
|---|---|---|
| Multiple 4769 events from same source | Event 4769 — same source IP, multiple service names | The attacker requests tickets for every service with an SPN. |
| 4769 with RC4 encryption | Event 4769 — TicketEncryptionType = 0x17 (RC4) | Modern Windows uses AES encryption by default. RC4 tickets are weaker and easier to crack — attackers request RC4 specifically. |
| 4769 for unusual services | Event 4769 — ServiceName that is not in normal rotation | Testing every SPN in the domain. |
| 4769 followed by no service access | Event 4769 without a corresponding 4624 for the same service | The attacker requested the ticket but never used it — they only wanted the encrypted ticket for offline cracking. |
SPL query — detect kerberoasting via multiple 4769 events:
index=windows EventCode=4769
| stats dc(ServiceName) as unique_services, count as total_requests by Account_Name, IpAddress
| where unique_services > 5
| eval alert = "HIGH — " . total_requests . " service ticket requests for " . unique_services . " different services from " . Account_Name . " — Kerberoasting"
| table _time, Account_Name, IpAddress, unique_services, total_requests, alert
| sort - total_requestsACL Abuse Detection
ACL abuse occurs when an attacker with compromised AD permissions modifies ACLs to gain additional access — adding themselves to a privileged group, changing user passwords, or modifying object ownership.
Detection indicators:
| Indicator | Where to Check | Detection |
|---|---|---|
| ACL modification event | Event 5136 — Directory Service Object Modified | An AD ACL was changed. Cross-reference with known change management. |
| Group membership change | Event 4728, 4732 — user added to admin group | User added to a privileged group by an unexpected account. |
| Password reset on admin account | Event 4724 — user password reset | Password reset attempted on a privileged account. |
| Ownership change | Event 5136 with SDSignature change | Object ownership transferred — WriteOwner ACL abuse. |
| ACL change on AdminSDHolder | Event 5136 on CN=AdminSDHolder,CN=System | AdminSDHolder protects privileged accounts. Modifying it is a persistence technique. |
SPL query — detect privileged ACL modifications:
index=windows EventCode=5136
| search ObjectDN IN ("*Domain Admins*", "*Enterprise Admins*", "*Schema Admins*", "*Administrators*", "*AdminSDHolder*")
| stats count by Account_Name, ObjectDN, AttributeValue
| eval alert = "CRITICAL — ACL modification on " . ObjectDN . " by " . Account_Name
| table _time, Account_Name, ObjectDN, AttributeValue, alert
| sort - _timePhase 1: Immediate Containment (15-30 minutes)
Critical Actions — Do These First
- Disable the compromised user account(s) —
Disable-ADAccount -Identity "CompromisedUser" - Reset the compromised user’s password —
Set-ADAccountPassword -Identity "CompromisedUser" -Reset -NewPassword (ConvertTo-SecureString "NewP@ssw0rd!" -AsPlainText -Force) - Remove compromised user from privileged groups —
Remove-ADGroupMember -Identity "Domain Admins" -Members "CompromisedUser" - Revoke all Kerberos tickets for compromised user —
Get-ADUser -Identity "CompromisedUser" | Revoke-ADAuthenticationPolicy(or wait for automatic expiration) - Block network access from compromised systems — Block at firewall or isolate at switch level
- Enable enhanced audit logging on all DCs —
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable - Capture memory from affected DCs — Do NOT reboot. Use
dumpit.exeorwinpmemto capture memory for forensic analysis.
What NOT to Do
| Action | Why It’s Dangerous |
|---|---|
| Reboot the Domain Controller | Destroys memory evidence, Kerberos tickets, and active sessions. Never reboot without forensic capture. |
| Reset krbtgt password immediately | Invalidating all Kerberos tickets will break every service in the domain. Only do this after preparation (see Phase 4). |
| Trust that “containing” the attacker is enough | If the attacker has the krbtgt hash, they can forge golden tickets offline — containment of network access does not prevent this. |
| Use the same reset password format | Attackers may have pre-computed rainbow tables for common reset patterns. |
| Assume DCSync means only one user was targeted | DCSync extracts the full AD database — every user’s hash is compromised. |
Phase 2: Evidence Preservation (30-45 minutes)
What to Capture
| Evidence | Capture Method | Why Important |
|---|---|---|
| DC memory dump | dumpit.exe or winpmem on each DC | Contains active Kerberos tickets, LSASS credentials, process list |
| All Event Logs | wevtutil epl Security C:\captures\security.evtx on each DC | 4768, 4769, 4662, 5136, 4624, 4625 |
| Sysmon logs | wevtutil epl Microsoft-Windows-Sysmon/Operational C:\captures\sysmon.evtx | Full process and network telemetry |
| NTDS.dit | Volume Shadow Copy copy of %SystemRoot%\NTDS\NTDS.dit | The AD database itself — for determining what data was accessed |
| System hive (SYSTEM registry) | reg save HKLM\SYSTEM C:\captures\SYSTEM | Needed to decrypt NTDS.dit offline |
| Active network connections | netstat -ano output from DCs | Current attacker connections, C2 endpoints |
| DNS log | DNS query logs from DC DNS server | Domain enumeration queries from attacker IPs |
Phase 3: Investigation — Determine Blast Radius (45-90 minutes)
Questions to Answer
| Question | Evidence Source | How to Determine |
|---|---|---|
| Which accounts were compromised? | Kerberos logs (4768, 4769), logon logs (4624) | List every account with anomalous authentication during the compromise window. |
| Was krbtgt hash stolen? | DCSync detection, Event 4662 with replication rights | If DCSync was executed, assume krbtgt hash was stolen. Reset krbtgt password (Phase 4). |
| Were golden tickets forged and used? | TGT lifetime > 10 hours, RC4 encryption, no preceding authentication | Golden ticket usage produces anomalous Kerberos events. |
| Was AD ACL modified? | Event 5136 on privileged objects | Check AdminSDHolder, Domain Admins, Enterprise Admins, each DC computer object. |
| Was lateral movement performed? | Event 4624, 4648, 4688 across multiple servers | Trace from compromised account to downstream systems. |
| What data was accessed? | File server audits, SharePoint/OneDrive access, email access logs | Determine scope of data accessed by compromised accounts. |
Cross-Correlation Query
KQL query — build timeline of all AD-related changes during compromise window (run in KQL-enabled Sentinel):
// Create a timeline of all critical AD events
let knownEvents = dynamic(["4624", "4625", "4648", "4768", "4769", "4662", "5136", "4728", "4732", "4720"]);
SecurityEvent
| where TimeGenerated between (datetime(2026-05-15) .. datetime(2026-05-23))
| where EventID in (knownEvents)
| project TimeGenerated, Computer, EventID, Account, Activity
| order by TimeGenerated ascPhase 4: krbtgt Password Reset — The Emergency Recovery Step
The krbtgt account is the most important account in any AD domain. Its password hash is used to sign all Kerberos tickets — including golden tickets. If the attacker has the krbtgt hash, they can forge unlimited golden tickets until the hash is changed.
When to Reset krbtgt
| Scenario | Reset krbtgt? | Priority |
|---|---|---|
| DCSync confirmed (NTDS.dit extracted) | Yes — immediately | Critical |
| Golden ticket detected in use | Yes — immediately | Critical |
| Domain Admin account compromised, no DCSync confirmed | Yes — after impact assessment | High |
| Kerberoasting only (no DA compromise) | No — do not reset krbtgt | N/A |
| ACL abuse only (no DA compromise) | No — reset compromised account passwords only | N/A |
krbtgt Password Reset Procedure
The krbtgt password must be reset twice in succession to invalidate all existing Kerberos tickets. A single reset does not invalidate tickets created before the reset — only the second reset fully invalidates them.
# STEP 1: Verify current krbtgt password age
Get-ADUser krbtgt -Properties PasswordLastSet, PasswordExpired
# STEP 2: Reset krbtgt password — First reset
$newPwd = ConvertTo-SecureString -AsPlainText "New-36-Character-Random-Password@2026!" -Force
Set-ADAccountPassword -Identity krbtgt -NewPassword $newPwd -Reset
# Wait 30 minutes (or until all DCs have replicated the new password)
# STEP 3: Reset krbtgt password — Second reset
$newPwd2 = ConvertTo-SecureString -AsPlainText "Second-36-Character-Random-Password@2026!" -Force
Set-ADAccountPassword -Identity krbtgt -NewPassword $newPwd2 -Reset
# STEP 4: Force replication and verify
Repadmin /syncall /AdeP
Get-ADUser krbtgt -Properties PasswordLastSetWhat Happens During Each Reset
| Reset | Effect | User Impact |
|---|---|---|
| First reset | All existing Kerberos tickets issued before this reset become invalid for NEW TGT requests. | Users with existing tickets can continue using them until they expire. NEW authentication requires a new TGT. |
| Wait period (30 min) | Allows all DCs to replicate the new password. | (Same as above) |
| Second reset | All remaining Kerberos tickets — including golden tickets — are fully invalidated. | All users must re-authenticate. Domain services may temporarily break. |
Expected Service Disruptions
| Service | Expected Impact | Mitigation |
|---|---|---|
| Domain-joined computers | Users prompted to re-authenticate | Normal — tickets are refreshed automatically |
| SQL Server (Kerberos auth) | Authentication failures for 5-15 minutes | Restart SQL Server service after second reset |
| IIS / web applications (Kerberos) | 401 errors during ticket refresh | Restart IIS or wait 10-15 minutes |
| Exchange / SharePoint | Potential authentication delays | Monitor health after reset, restart if needed |
| Service accounts (gMSA) | Automatic password refresh — no impact | None needed |
| Service accounts (standard) | Possible authentication failures | Restart services or update SPN registrations |
Phase 5: Recovery and Hardening (90+ minutes)
Immediate Recovery Steps
- Reset all service account passwords — Especially accounts in Domain Admins, Enterprise Admins, and accounts with SPNs (kerberoastable)
- Reset all user passwords for users whose accounts showed anomalous activity during the compromise window
- Review and reset privileged group memberships — Remove any accounts that should not be in Domain Admins, Enterprise Admins, Schema Admins
- Audit ACLs on privileged objects — Check AdminSDHolder, each DC computer object, OU delegation for unauthorized ACL modifications
- Enable Kerberos logging on all DCs —
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable - Enable DCSync-specific alerting — Create analytics rule for Event 4662 with DS-Replication-GetChanges on non-DC accounts
- Rotate all computer account passwords —
Reset-ComputerMachinePasswordon domain-joined servers
Long-Term Hardening
| Control | What It Prevents | Implementation |
|---|---|---|
| MFA for all admin accounts | Stolen password → admin access | Azure AD PIM with MFA, Windows Hello for Business |
| AD tiering model | Lateral movement from low-value to high-value accounts | Separate admin workstations per tier (Tier 0/1/2) |
| Protected Users group | Kerberos authentication hardening | Add all admin accounts to Protected Users group — prevents credential delegation and NTLM |
| Authentication silos | Restricts which accounts can authenticate to which systems | Define auth policies per tier |
| Red admin count | Reduces attack surface | Maximum 2-3 break-glass Domain Admin accounts |
| AdminSDHolder monitoring | ACL modification detection | Alert on any change to AdminSDHolder object |
| Kerberos monitoring | Golden ticket, kerberoasting, DCSync detection | Analytics rules for 4768, 4769, 4662 anomalies |
| LAPS (Local Admin Password Solution) | Lateral movement via local admin password reuse | Random, rotated local admin passwords per machine |
Post-Incident Checklist
- krbtgt password reset completed (two resets with replication wait)
- All service account passwords reset
- All privileged user passwords reset
- Privileged group memberships audited and reduced
- AD ACLs audited for unauthorized changes
- Kerberos monitoring rules created in SIEM
- Incident report completed with timeline, findings, and recommendations
- Post-mortem review with AD team and security team
Related
- Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
- Active Directory Basics — covers the active directory basics concepts
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
- MITRE ATT&CK for Triage — covers the mitre att&ck for triage concepts