Active Directory (AD) remediation steps when the ntds.dit file has been exfiltrated - ToddMaxey/Technical-Documentation GitHub Wiki

Part I: Single-Domain Forest Scenario

  1. Overview of a Single-Domain Forest

A single-domain forest encloses all accounts, groups, and resources within one domain. An exfiltrated ntds.dit means attackers can access every credential in that domain, from standard users to Domain Administrators.

  1. Immediate Remediation Priorities

2.1 Reset All Passwords

In a single-domain environment, you can use PowerShell to reset passwords quickly:

# Example: Reset the password for a single user account 

Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force) -Unlock 

 

# Force the user to change at next logon 

Set-ADUser -Identity "username" -ChangePasswordAtLogon $true

To reset many user passwords in bulk, you could:

  1. Generate a CSV file containing target user accounts.

  2. Iterate through each user in the CSV with a PowerShell script.

    Import-Csv .\users.csv | ForEach-Object {

    Set-ADAccountPassword -Identity $_.SamAccountName -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force) 

Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true

    }

Note: Be sure to coordinate password changes for service accounts and computer accounts to avoid service disruptions.

2.2 Double-Reset the KRBTGT Account (T1003.003 – OS Credential Dumping: NTDS)

Resetting the KRBTGT account twice is essential to invalidate forged Kerberos tickets such as Golden Tickets. The recommended practice is to wait at least 10–24 hours between the first and second reset.

# First KRBTGT reset 

Get-ADUser -Identity "krbtgt" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "NewKRBTGTPass1!" -AsPlainText -Force) 

 

# Wait recommended interval (10–24 hours)... 

 

# Second KRBTGT reset 

Get-ADUser -Identity "krbtgt" | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "NewKRBTGTPass2!" -AsPlainText -Force)

2.3 Check & Restore Security Baselines

Attackers often modify Group Policy Objects (GPO) or manipulate ACLs to maintain persistence (T1484.001 – Group Policy Modification). Compare GPO settings to a known-good baseline or backups:

# Backup all GPOs 

Backup-Gpo -All -Path "C:\GPOBackup" 

 

# Restore a specific GPO from backup if tampering is discovered 

Restore-Gpo -Name "Default Domain Policy" -Path "C:\GPOBackup\DefaultDomainPolicyBackup"

Use dcdiag to validate domain controller health and replication:

dcdiag /c /v

2.4 Evaluate Need for Full Domain Recovery

If advanced persistence (e.g., malicious replication partnerships, schema tampering) is suspected, consider a full domain recovery from known-good backups. Microsoft’s “AD Forest Recovery Guide” details these procedures thoroughly.

2.5 Additional Hardening

  • Advanced Auditing & Logging: Enable Kerberos and NTLM auditing, forward logs to a SIEM for real-time monitoring.

  • Tiered Administration (T1078 – Valid Accounts): Adopt a Tier 0 model for DCs and privileged accounts to minimize the scope of a compromise.

Part II: Multiple-Domain Forest Where the Root Domain Is Exfiltrated

========================================================================

  1. Context of the Root Domain in a Multi-Domain Forest

The root domain holds the most privileged accounts (e.g., Enterprise Admins, Schema Admins). Exfiltration of the root domain’s ntds.dit is catastrophic, as attackers can effectively escalate to control the entire forest.

  1. Remediation Steps for Root Domain Compromise

2.1 Immediate Password Resets

Reset passwords for:

  • Root Domain Users (especially privileged accounts).

  • Service & Computer Accounts (coordinate carefully to avoid outages).

PowerShell Example

# Bulk password reset for high-privilege groups like Domain Admins or Enterprise Admins 

Get-ADGroupMember "Domain Admins" | ForEach-Object { 

    Set-ADAccountPassword -Identity $_.SamAccountName -Reset -NewPassword (ConvertTo-SecureString "ComplexPassword123!" -AsPlainText -Force) 

    Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true 

}

2.2 Double-Reset the KRBTGT in the Root Domain (T1003.003)

Identical process as in a single-domain environment but with far-reaching implications. Forged tickets from the root domain can compromise any domain.

2.3 Audit & Restore Security Configurations

  1. GPO Restoration: Validate all forest-level GPOs, especially the Default Domain Policy and Default Domain Controllers Policy.

  2. ACL Checks: Inspect critical objects like Domain Naming Master, Schema Master, and forest trust objects for unauthorized ACEs.

2.4 Full Forest Recovery Considerations

When the root domain is compromised, partial fixes may be insufficient because the attacker can implant hidden backdoors in replication or domain trust configurations (T1484.002 – Domain Trust Modification). Follow the Microsoft AD Forest Recovery guidelines if you see signs of deep infiltration.

2.5 Rotate Inter-Domain Trust Keys (T1484.002)

Attackers at the root domain level can intercept or spoof trust communications:

# Example of rotating a trust password using 'netdom' (from a trusted domain controller context) 

netdom trust <ChildDomainFQDN> /Domain:<RootDomainFQDN> /reset /userO:Administrator /passwordO:*

Repeat for each child domain trust as necessary.

2.6 Post-Incident Hardening

  • Tiered Admin Model: Ensure Enterprise Admins and Domain Admins only log on to dedicated Privileged Access Workstations (PAWs) (T1078 – Valid Accounts).

  • Robust Monitoring: Deploy advanced detection tools (e.g., Microsoft 365 Defender for Identity, third-party EDR) forest-wide.

Part III: Multiple-Domain Forest Where a Child/Grandchild Domain NTDS.DIT Is Exfiltrated

============================================================================================

  1. Key Concepts: Global Catalog & Partial Attribute Sets

A child domain DC configured as a Global Catalog (GC) hosts partial replicas of other domains in the forest—primarily attributes like universal group memberships and UPNs, but not typically password hashes of other domains (T1592 – Gather Victim Host Information).

  1. Child/Grandchild Domain Remediation Steps

2.1 Comprehensive Password Resets in the Compromised Domain

If the child domain’s ntds.dit is exfiltrated (T1003.003), all child-domain user, service, and computer accounts must be reset.

# Resetting all user passwords in a specific OU that contains child domain accounts 

Get-ADUser -Filter * -SearchBase "OU=ChildDomainUsers,DC=child,DC=example,DC=com" | 

    ForEach-Object { 

        Set-ADAccountPassword -Identity $_.SamAccountName ` 

                              -Reset ` 

                              -NewPassword (ConvertTo-SecureString "ChildDomainPass123!" -AsPlainText -Force) 

        Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true 

    }

2.2 Double-Reset KRBTGT in the Child Domain

Same procedure as above, but ensure you do this on the child domain:

# Replace child domain controller FQDN or specify child domain context 

Get-ADUser -Identity "krbtgt" -Server "ChildDomainController.child.example.com" ` 

    | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "ChildKRBTGT1!" -AsPlainText -Force) 

# Wait 10–24 hours... 

Get-ADUser -Identity "krbtgt" -Server "ChildDomainController.child.example.com" ` 

    | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString "ChildKRBTGT2!" -AsPlainText -Force)

2.3 Check & Restore Policies/ACLs (T1484.001 – Group Policy Modification)

Attackers may have altered GPOs or ACLs for persistence:

# Example: Checking a specific GPO's settings for unauthorized changes 

Get-GPOReport -Name "Child Domain Workstation Policy" -ReportType Xml -Path ".\ChildDomainReport.xml"

Compare the resulting XML to a stored, known-good baseline.

2.4 Containment and Forensics

  1. Isolate Compromised DCs: Remove them from the network or power them down for forensic imaging.

  2. Collect Logs and Memory Images: These may reveal pass-the-hash usage (T1078 – Valid Accounts) or malicious replication demands.

2.5 Review Administrative Boundaries

  • Confirm that child-domain admins do not have unwarranted privileges in the root or sibling domains.

  • Investigate logons of Enterprise Admins to child-domain DCs. If discovered, that may broaden the scope to a forest-wide compromise.

2.6 Evaluate the Potential for Lateral Movement

  • Attackers might leverage compromised child-domain accounts if they are also part of universal or forest-wide groups (T1592 – Gather Victim Host Information for group memberships).

  • Monitor lateral movement attempts with advanced SIEM correlation rules.

2.7 Inter-Domain Trust Key Rotation (T1484.002 – Domain Trust Modification)

If the attacker gained enough privileges in the child domain to intercept or alter trust traffic, consider rotating the trust keys with netdom or relevant PowerShell commands (as shown in the root domain scenario).

Best Practices Spanning All Scenarios

  1. Tiered Administration & Privileged Access Management (PAM)

    • Keep domain controllers (Tier 0) isolated; never use domain admin accounts for everyday tasks.

    • Implement JIT (Just-In-Time) and JEA (Just-Enough Administration) to shrink the window of vulnerability (T1078 – Valid Accounts).

  2. Double-Reset KRBTGT (Universal Step for Domain Compromises)

    • Perform two resets of the KRBTGT account for each compromised domain, waiting 10–24 hours between resets.

  3. Comprehensive Logging & Continuous Monitoring

    • Forward AD logs, DNS logs, Directory Service logs, and security logs to a SIEM.

    • Enable advanced logging features: Audit Kerberos Service Ticket Operations, Audit Sensitive Privilege Use, etc.

  4. Periodic AD Health Checks

    • Use dcdiag /c /v and repadmin /replsummary to verify replication health.

    • Perform routine GPO baseline comparisons (Backup-GPO, Compare-GPO, or third-party tools).

  5. Security Baseline Enforcement

    • Deploy reputable baselines (e.g., Microsoft Security Compliance Toolkit).

    • Mandate MFA for all privileged accounts, possibly restricting domain admins to a small set of Privileged Access Workstations (PAWs).

  6. Incident Response Drills

    • Conduct domain or forest recovery tabletop exercises.

    • Document roles, responsibilities, and escalation paths for prompt communication.

  7. Collaboration & Organizational Awareness

    • Particularly crucial in multi-domain forests with partial administrative autonomy.

    • Share threat intelligence, suspicious logs, or IR findings promptly.

TL;DR

=========

  1. Single-Domain Forest

    • All credentials are compromised if the ntds.dit is stolen.

    • Reset all user, service, and computer passwords, double-reset KRBTGT (T1003.003), and verify GPO/ACL integrity.

    • Consider a full domain recovery if you suspect deep infiltration.

  2. Multi-Domain Forest, Root Domain Exfiltrated

    • This is often catastrophic because the root domain controls the entire forest.

    • Reset root domain credentials, double-reset KRBTGT, check/restore GPOs, and rotate inter-domain trust keys (T1484.002).

    • A full forest recovery may be necessary if attackers have manipulated schema or replication pathways.

  3. Multi-Domain Forest, Child Domain Exfiltrated

    • The compromised child domain’s ntds.dit contains local password hashes but might not include other domains’ hashes. However, partial forest data is exposed (T1592).

    • Reset the child domain’s passwords, double-reset KRBTGT, audit GPO/ACL changes, and watch for lateral movement (T1078).

    • If child-domain compromise hints at root-level infiltration (e.g., stolen Enterprise Admin tokens), escalate to a full forest remediation plan.

  4. Commands & Examples

    • Use PowerShell Set-ADAccountPassword, Set-ADUser, Get-ADUser to reset credentials.

    • Rotate trust keys with netdom trust /reset.

    • Backup and restore GPOs with Backup-Gpo and Restore-Gpo.

    • Validate AD health with dcdiag and repadmin.

  5. Universal Best Practices

    • Tiered Administration & PAM (T1078 – Valid Accounts).

    • Comprehensive Logging & SIEM correlation.

    • Periodic Audits of AD replication, GPOs, and trust relationships.

By following these commands, strategies, and best practices—and by meticulously double-checking every configuration—you greatly reduce the risk of attacker persistence and forest-wide compromise after the theft of your ntds.dit file.