Solving the 'no-start' car problem: Engineering Style

Mechanical Engineer:

- It's a broken starter.

Electrical Engineer:

- It's a dead battery.

Chemical Engineer:

- Must be bad gasoline.

Electrical Engineer:

- It's a bad fuse.

Civil Engineer:

- Blow it up and build a new one.

Engineering Manager:

- 30 seconds, three key turns and we still have nothing?

Software Engineer:

- Worked fine in my garage.

Helpdesk Engineer:

- Everyone get out of the car and get back in.

Security Engineer:

<quietly giggling>

Cleaning out Golden Tickets after a successful attack on Active Directory

Disclaimer: this is not my work, it is reproduced from an article posted to Peerlyst.  The original work, which provides more detail, is here and was created by @rootsecdev

If an attack made it into your active directory‍ environment and got a golden ticket‍, there is a specific set of steps you need to take to make sure you've cleaned out the adversary:

1. Disconnect the affected networks. Entirely.
2. Remediate any persistence mechanisms left behind
3. Reset passwords of ALL high privileged access accounts
4. Reset passwords of all VPN access credentials (+other remote access you may have)
5. Change the krbtgt‍ hash using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)
6. Wait minimum 10 hours
7. Change the krbtgt hash again using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)