"I have identified a series of strategic actions that can be effectively employed across diverse incident scenarios after attack or while investigating attack."
Auditing all AD accounts, especially any Administrative or Domain admin accounts, check for new additions, remove any unrecognized accounts or stale accounts. (Specifically check things like scanning accounts or any other service accounts https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
Checking for startup items, registries, scheduled tasks or WMI objects that may be added to achieve persistence.
Checking for the path "\Device\HarddiskVolume*\Windows\System32\" and delete anything suspicious.
Reseting the account for all the AD users and also reset the Kerberos account - Krbtgt Make sure to reset it twice. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password
Auditing all firewalls and ensure there are no rules allowing RDP (3389 default) or Remote Access externally facing from the internet.
Checking firewalls as well for non-standard remote access ports being allowed and ensure these are disabled from being internet facing if at all possible.
Auditing accounts with administrative permissions, and ensure they are limited based on least privilege needed to perform required functionality.
Requesting clients to the autoruns tool from Microsoft and verify there is nothing suspicious in the startup items, scheduled tasks, or WMI objects: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Verifying integrity of OS files using command "sfc /scannow"
Akash Patel
Comments