Was your Active Directory Hacked?
Here’s a checklist to repair Active Directory:
1. Change passwords for all accounts, including service accounts.
2. Reset the krbtgt password twice. Refer to https://techcommunity.microsoft.com/t... for more information.
3. Implement Multi-Factor Authentication with an App like Duo or Okta.
4. Implement Authentication Policies and Authentication Policy Silos. Great protection for service accounts.
5. Run TCPView and investigate any suspicious connections. Download TCPView at https://learn.microsoft.com/en-us/sys...
6. Run ProcessExplorer and investigate any suspicious processes. Download Process Explorer at https://learn.microsoft.com/en-us/sys...
7. Monitor all changes to Active Directory. Semperis, Liongard, and Cyberhawk are good Active Directory monitoring solutions.
8. Endpoint Detection Response (EDR)/Managed Detection Response (MDR).
9. Implement a Security Information and Event Management (SIEM) solution.
10. Consider using Windows Server Core for servers, especially Domain Controllers.
11. Review SID History. Refer to https://www.semperis.com/blog/how-to-... for more information.
12. Review all Trust Relationships in the Active Directory.
This is NOT a comprehensive list, but a good starting point.
If you need help recovering from a hack, email info@adscon.com.