Persistence response starts by identifying which trust material was abused. Password resets solve only account-secret persistence. They do not solve forged certificates, krbtgt compromise, AdminSDHolder ACLs, GPO tampering, SIDHistory, or ADFS token-signing compromise.
Kerberos ticket response
Get-ADUser krbtgt -Properties PasswordLastSet,msDS-KeyVersionNumber
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Select-Object -First 50 TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object -First 50 TimeCreated,Message
Rotate krbtgt twice
$NewPassword = ConvertTo-SecureString ([Guid]::NewGuid().Guid + [Guid]::NewGuid().Guid) -AsPlainText -Force
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword $NewPassword
Get-ADUser krbtgt -Properties PasswordLastSet,msDS-KeyVersionNumber
Use the official Microsoft krbtgt rotation script or a controlled two-step reset process. Wait for replication and ticket lifetime boundaries between resets.
Shadow Credentials review
Get-ADObject -LDAPFilter "(msDS-KeyCredentialLink=*)" -Properties msDS-KeyCredentialLink,whenChanged |
Select-Object Name,ObjectClass,DistinguishedName,whenChanged,msDS-KeyCredentialLink
DCSync rights review
$DomainDN = "DC=ootw,DC=local"
Get-ACL "AD:\$DomainDN" |
Select-Object -ExpandProperty Access |
Where-Object {
$_.ObjectType -match "1131f6aa|1131f6ad|89e95b76" -or
$_.ActiveDirectoryRights -match "ExtendedRight"
} |
Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited
AdminSDHolder review
Get-ACL "AD:\CN=AdminSDHolder,CN=System,DC=ootw,DC=local" |
Select-Object -ExpandProperty Access |
Select-Object IdentityReference,ActiveDirectoryRights,ObjectType,IsInherited
GPO review
Get-GPO -All | Sort-Object ModificationTime -Descending | Select-Object DisplayName,Id,Owner,ModificationTime
Get-GPInheritance -Target "DC=ootw,DC=local"
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include *.xml,*.ps1,*.bat,*.vbs | Select-Object FullName,LastWriteTime
SIDHistory review
Get-ADObject -LDAPFilter "(sIDHistory=*)" -Properties sIDHistory,objectSid,sAMAccountName,whenChanged |
Select-Object Name,ObjectClass,sAMAccountName,ObjectSid,SIDHistory,whenChanged
DSRM review
reg query HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior
Disable DSRM network logon
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DsrmAdminLogonBehavior /t REG_DWORD /d 0 /f
Certificate persistence review
certutil -store my
certutil -view -restrict "Disposition=20" -out "RequestID,RequesterName,CertificateTemplate,NotBefore,NotAfter,SerialNumber"
certutil -enterprise -viewstore NTAuth
Golden SAML response
Import-Module ADFS
Get-AdfsCertificate
Get-AdfsRelyingPartyTrust
Get-AdfsProperties
Hardening
- Protect Tier 0 systems and accounts separately from workstations.
- Limit who can modify GPOs, GPO links, AdminSDHolder, domain root ACLs, and ADCS objects.
- Monitor changes to
msDS-KeyCredentialLink,servicePrincipalName,sIDHistory, privileged group membership, and replication rights. - Require strong service account secrets or gMSA.
- Protect CA private keys and ADFS token-signing keys like domain compromise material.
- Keep Domain Controllers off general administration paths.