valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7940c05982
atomic-threat-coverage/response_actions/RA_0011_eradication_revoke_compromised_credentials.yml
Yugoslavskiy Daniil 7e3a8d3f4f added new Response Actions; Phishing Playbook updated
2019-02-06 01:44:48 +01:00

15 lines
867 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: RA_0011_eradication_revoke_compromised_credentials
stage: eradication
author: Daniil Yugoslavskiy
creation_date: 31.01.2019
references:
- https://adsecurity.org/?p=556
- https://adsecurity.org/?p=483
description: >
Response Action for revokation of compromised credentials.
workflow: |
On this step you supposed to know what kind of credentials have beed compromised.
You need to revoke them in your Identity and Access Management system where they were created (like, Windows AD) using native functionality.
Warning:
- If adversary has generated Golden Ticket in Windows Domain/forest, you have to revoke KRBTGT Account password **twice** for each domain in a forest and proceed monitor malicious activity for next 20 minutes (Domain Controller KDC service doesnt perform validate the user account until the TGT is older than 20 minutes old)
Reference in New Issue View Git Blame Copy Permalink