Assume-Breach Rebuild and Identity Reset

Actions

1. 1

   Reset `krbtgt` password twice with a delay greater than max ticket lifetime between resets (Microsoft-recommended 24-48h), invalidating all existing Kerberos tickets including golden tickets.

2. 2

   Rotate all service-account credentials, managed service account passwords, certificate-based service principals, and Entra ID application secrets/certificates; prioritize accounts with elevated or cross-tenant access.

3. 3

   Rotate domain-admin, enterprise-admin, schema-admin passwords and enforce required smart-card or phishing-resistant MFA re-enrollment.

4. 4

   Rebuild domain controllers from known-clean media if any DC shows evidence of compromise; verify AdminSDHolder, Default Domain Policy, and GPO integrity.

5. 5

   Rotate all PKI material that may have been exposed (CA private keys if Cert Authority touched, ADCS templates) and revoke issued certificates where possible.

6. 6

   For Entra ID/Azure AD: revoke refresh tokens organization-wide, audit and re-issue application consents, rotate service-principal secrets, reset conditional-access policies to known-safe baseline.

7. 7

   Rebuild -- do not just clean -- systems confirmed compromised and any system on the same trust tier that cannot be exhaustively verified.

Queries

Get-ADUser -Filter {PasswordLastSet -lt (Get-Date).AddDays(-1)} -Properties PasswordLastSet | Where-Object {$_.Enabled -eq $true -and $_.SamAccountName -match "svc|admin|backup"}

Get-ADObject -Filter {ObjectClass -eq "msDS-GroupManagedServiceAccount"} -Properties msDS-ManagedPasswordInterval,PasswordLastSet

Get-MgServicePrincipal -All | Select DisplayName, AppId, @{n="SecretCount";e={$_.PasswordCredentials.Count}}, @{n="CertCount";e={$_.KeyCredentials.Count}} | Where-Object {$_.SecretCount -gt 0 -or $_.CertCount -gt 0}

Notes

Where to Go Next

Related Resources