IR AnalystSwitch roles in the top navigation to see different perspectives.

Disable compromised accounts, revoke active sessions, and reset credentials. Ensure the attacker loses all authenticated access paths including OAuth tokens, service principals, and cached Kerberos tickets.

Actions

  1. 1.Disable the compromised user account in AD: `Disable-ADAccount -Identity compromised_user` and in Azure AD: `Set-AzureADUser -ObjectId <user_id> -AccountEnabled $false`.
  2. 2.Revoke all Azure AD refresh tokens immediately: `Revoke-AzureADUserAllRefreshToken -ObjectId <user_id>`. For M365, also run: `Get-AzureADUserRegisteredDevice -ObjectId <user_id> | ForEach-Object { Remove-AzureADDeviceRegisteredUser -ObjectId $_.ObjectId }`.
  3. 3.Force Kerberos ticket expiry for on-prem AD: reset the user password twice (this invalidates all cached TGTs). Then reset the KRBTGT account if Golden Ticket is suspected: `Reset-KrbtgtKeys -Server DC01 -Force`.
  4. 4.Audit all OAuth app consents for the compromised user: `Get-AzureADUserOAuth2PermissionGrant -ObjectId <user_id>` -- revoke any suspicious third-party app grants.
  5. 5.Check for and remove any attacker-created inbox rules, mail forwarding, or delegates: `Get-InboxRule -Mailbox compromised_user | Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.DeleteMessage }` -- remove with `Remove-InboxRule`.

Queries

let compromised_user = "[email protected]"; SigninLogs | where UserPrincipalName == compromised_user | where TimeGenerated > ago(7d) | where ResultType == 0 | summarize by IPAddress, AppDisplayName, ClientAppUsed, DeviceDetail_string=tostring(DeviceDetail) | order by IPAddress
let compromised_user = "[email protected]"; AuditLogs | where InitiatedBy has compromised_user | where TimeGenerated > ago(30d) | where Category == "ApplicationManagement" | project TimeGenerated, ActivityDisplayName, TargetResources | order by TimeGenerated desc
CloudAppEvents | where AccountObjectId == "<user_object_id>" | where Timestamp > ago(7d) | where ActionType in ("MailItemsAccessed", "FileDownloaded", "FileUploaded", "Set-InboxRule") | summarize Count=count() by ActionType, bin(Timestamp, 1h) | order by Timestamp desc

Notes

  • Disabling the account alone is NOT sufficient -- active sessions and tokens remain valid until explicitly revoked. Always revoke tokens AND disable the account.
  • If the compromised account has administrative privileges, assume the attacker may have created persistence (backdoor accounts, service principals). Audit all recent user and app creations.

Common Blockers

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.