A security incident in the Active Directory is one of the most critical events in an IT environment. Since Active Directory is the central trust system for users, systems, and applications, it is not sufficient to just lock individual accounts or change passwords selectively after a compromise. In general, it must be assumed that attackers have gained extensive rights and left possible persistence mechanisms behind.
This post is aimed at IT administrators and describes the necessary actions after an Active Directory incident to regain control over the environment and restore trust in the identity infrastructure. The focus is on a structured emergency checklist – from forensics to credential resets to cloud and certificate infrastructures.
Checklist: Actions after
Active Directory Security Incident
1. Secure Initial State (Forensics)
- Backup all Domain Controllers before the known time of attack (System State / VHD)
- Create backup of current state upon discovery
- Keep fuses in a write-protected and unchanged state
- Check and restrict access to backup storage
2. Reset access credentials completely
- Reset all user passwords (recommended: twice)
- Reset all administrator passwords
- Change all service account passwords
- Reset all computer and domain controller machine accounts
- Reset KRBTGT account twice (wait for replication between resets)
- Check if automatic machine password changes have been disabled
3. Check AD objects and persistence mechanisms
- Check AdminSDHolder Permissions
- Reset and retrieve LAPS passwords for all systems
- Check scheduled tasks on servers and clients
- Check WMI Event Filters and associated scripts
- Check autostart entries and relevant registry keys
- Check login aids (e.g. utilman, sethc) for tampering
- Check printer, printer driver, and print server
- Comparison of all findings across all domain controllers
4. Secure certificate and identity infrastructure
- AD CS: revoke relevant certificates and reissue
- Check all certificates issued since the incident
- Manage certificate templates and permissions
- Check NTAuth certificates
- ADFS: Token-Signing and Encryption Certificates rotate
- Enter ID: Check App Registrations
- Enter ID: Check privileged roles and permissions
- Change Entra-Connect passwords and check configuration
5. Check Cloud and Email Environment
- Invalidate all user refresh tokens
- Check Conditional Access Policies
- Review Azure audit and sign-in logs
- Exchange Online:
- Check inbox rules
- Check E-mail Forwarding
- Check authorizations and delegated mailboxes
6. Deep Analysis and Incident Hunting
- Process analysis on all Tier-0 systems
- Evaluate security and event logs of the domain controllers
- Perform IOC scans (e.g. LOKI, THOR, or equivalent)
- Optional: Analyze Network Traffic (Port Mirroring)
- Check SCCM / RMM / Deployment Systems:
- Task Sequences
- Scripts
- Packages
7. Conclusion and Prevention
- Fully document incident
- Capture Lessons Learned
- Check and, if necessary, refine tier model (Tier 0-2)
- Update emergency and recovery processes
- Schedule regular incident recovery tests
- Check and expand monitoring and alerting
