
Compromised Active Directory Forensics
By the HD Doctor Technical Team
Direct answer
When AD is compromised, the critical question is: did the attacker obtain a golden ticket (total control via KRBTGT)? Correct forensics answers this and determines if 2× KRBTGT reset solves or if full domain rebuild is required.
Why AD forensics differs from other systems
Active Directory has 2 compromise levels. Level 1 (silver ticket): attacker extracted service account hash — affects that service. Level 2 (golden ticket): attacker extracted KRBTGT hash — can forge valid TGT for any user, indefinitely, undetected by most EDRs. Forensics must identify which level was reached. Golden ticket requires rebuild; silver can be remediated.
Mistakes that invalidate AD forensics
- 1.Reboot DC before memory capture. RAM evidence is lost on reboot. Capture first.
- 2.Reset KRBTGT before collecting evidence. Reset destroys part of forensic history. Collect first, reset later.
- 3.Trust only EDR without native AD logs. EDR may be disabled on DCs (advanced attacker does this). Native Security Event logs are source of truth.
- 4.Not check AD recycle bin. Attackers delete audit accounts and recreate them. Recycle bin (if enabled) preserves the record.
6 critical evidences to collect
- 1
Security Event logs of primary DC
Events 4768 (TGT request), 4769 (TGS request), 4624 (logon), 4672 (special privileges). Look for: non-standard lifetime TGT, TGS for unusual services, new accounts with elevated privilege.
- 2
Memory dump of DCs
Procdump on lsass.exe (or full crash dump). Analysis reveals running Mimikatz, golden ticket being generated, or active DCSync. RAM evidence is volatile — capture before reboot.
- 3
EDR + Sysmon logs
Process creation events lsadump::dcsync (explicit DCSync), comhijack for persistence, mimikatz.exe or obfuscated variants (Invoke-Mimikatz in PowerShell).
- 4
AD schema change audit
Changes in AdminSDHolder, creation of new OUs with delegated permission, Group Policy modification. Advanced attacker leaves persistence via GPO.
- 5
KRBTGT account analysis
KRBTGT 'pwdLastSet' attribute. If different from initial domain installation AND you did no planned reset, indicates DCSync. Check history via 'msDS-KeyVersionNumber'.
- 6
Timeline correlating all logs
Use Plaso or Splunk to build single timeline. Identify initial entry moment, escalation to domain admin, DCSync moment (if occurred).
FAQ
How to know if golden ticket was generated?
Signs: (1) event 4769 with TGS for nonexistent account; (2) event 4768 with ticket lifetime > 10h (AD default is 10h); (3) DCSync detected in logs or EDR; (4) KRBTGT hash accessed via SAM dump. If any confirmed: treat as existing golden ticket.
Does 2× KRBTGT reset solve golden ticket?
Yes, if executed correctly. 1× reset invalidates active tickets (including golden); 2× with 10-24h interval ensures cached tickets also stop working. Without 2× consecutive, attacker can renew valid ticket during the window.
When is full rebuild necessary?
When golden ticket was obtained AND there was persistence via AD schema change (malicious GPO, modified AdminSDHolder, accounts with tampered sIDHistory). These controls are not reverted by KRBTGT reset.
What tools does AD forensics use?
Paid: Velociraptor, Velocidex, Plaso. Open source: ADRecon (snapshot), BloodHound (path analysis), Sigma rules in SIEM. PowerShell DSInternals for offline NTDS.dit analysis.
How long does AD forensics take?
Initial capture: 4-8h. Full analysis: 3-7 business days. Report with timeline and recommendations: +2-3 days. Total: ~10-14 days for full corporate forensics.
Active Directory compromised?
Microsoft engineers within 6h. Documented chain of custody for judicial use.