Post-Compromise AD Recovery: The Eviction Playbook Nobody Gives You

Every AD compromise I work follows a predictable pattern in the first 48 hours. The attacker has domain admin. They have been in the environment for days, sometimes weeks. The client wants them out immediately. And the decisions made in those first two days determine whether the eviction sticks or whether the attacker comes back through a persistence mechanism nobody thought to check.

This is the playbook I follow. Not the sanitized vendor version. The actual sequence of decisions, in order, with the reasoning behind each one.

Before You Touch Anything: Preserve Evidence

The instinct is to start resetting passwords immediately. Resist it. Every action you take in the first hour either preserves or destroys forensic evidence. Before changing a single credential:

Capture volatile memory on compromised systems. Once you reboot, it is gone. Use tools like Magnet RAM Capture or WinPmem.
Pull Security event logs from all DCs before they roll over. Export 4624, 4625, 4672, 4768, 4769, 4776 at minimum.
Snapshot the AD database. Take a system state backup of at least one DC so you have a point-in-time reference of current ACLs, group memberships, and GPOs.
Run SharpHound. Capture the current attack path state so you can compare it against post-remediation.

Do not power off compromised machines. You will lose volatile memory, running processes, and network connections. Isolate them from the network instead. Disable the NIC or quarantine the VLAN.

Step 1: Identify What Was Compromised

Before you can evict, you need to know the scope. The attacker may have compromised more than what triggered the incident. Start with:

# Find recent privileged logons across all DCs
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4672} -MaxEvents 1000 |
  Select TimeCreated, @{N='User';E={$_.Properties[1].Value}},
    @{N='LogonID';E={$_.Properties[3].Value}} |
  Where-Object { $_.User -notmatch 'SYSTEM|LOCAL SERVICE|NETWORK SERVICE' } |
  Sort TimeCreated -Descending

# Cross-reference with Kerberos TGT requests
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4768} -MaxEvents 5000 |
  Where-Object { $_.Properties[0].Value -match 'admin|svc|service' } |
  Select TimeCreated, @{N='User';E={$_.Properties[0].Value}},
    @{N='IP';E={$_.Properties[9].Value}}

Map every account the attacker touched. Every machine they logged into. Every service account they may have Kerberoasted. This becomes your remediation scope.

Step 2: Check for Persistence Before Resetting Credentials

This is the step most guides skip and the reason most evictions fail. If the attacker planted persistence mechanisms and you reset passwords without removing them first, they just come back.

Check for these in order of severity:

Golden Ticket capability: If the attacker has the KRBTGT hash, they can forge TGTs indefinitely. Check Event ID 4769 for TGS requests with abnormally long ticket lifetimes (default max is 10 hours, golden tickets often use 10+ years).
DCSync backdoor ACLs: Check if unauthorized principals have Replicating Directory Changes / Replicating Directory Changes All rights on the domain root. This is how attackers maintain DCSync access without being in Domain Admins.
AdminSDHolder ACL modifications: If the attacker modified AdminSDHolder, their permissions get re-applied to all protected accounts every 60 minutes by SDProp, even after you remove them from groups.
Rogue GPOs: Check for GPOs that deploy scheduled tasks, startup scripts, or modify security settings on DCs.
Skeleton Key: Check if the LSASS process on DCs has been patched in memory. A skeleton key allows authentication with any password.
Rogue admin accounts: Check for newly created accounts in privileged groups or accounts with AdminCount=1 that should not have it.

# Check for unauthorized DCSync rights
$domain = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domain"
$acl.Access | Where-Object {
  $_.ObjectType -match '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2|1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' -and
  $_.IdentityReference -notmatch 'Domain Controllers|Enterprise Domain Controllers|Administrators'
} | Select IdentityReference, ActiveDirectoryRights

# Check AdminSDHolder for unexpected ACEs
dsacls "CN=AdminSDHolder,CN=System,$domain" | findstr /C:"ALLOW"

Step 3: Reset Credentials in the Right Order

Order matters. If you reset user passwords before KRBTGT, an attacker with a golden ticket can just re-harvest the new passwords.

Reset KRBTGT twice with a 10-12 hour gap between resets. The first reset invalidates the current hash. The second reset invalidates the previous hash (AD keeps both). This kills golden tickets.
Reset all compromised account passwords. Every account the attacker touched, plus every account they could have harvested via DCSync or Kerberoasting.
Reset all service account passwords. Especially Kerberoastable accounts (those with SPNs).
Reset computer account passwords for compromised machines.
Regenerate the Entra Connect sync account password if hybrid. This is frequently forgotten and gives the attacker a bridge back to cloud.

KRBTGT reset timing: The 10-12 hour gap is critical. If you reset both immediately, every Kerberos ticket in the environment becomes invalid simultaneously. That means every user session, every service authentication, every trust relationship fails at once. Stagger the resets to allow legitimate tickets to naturally expire and renew.

Step 4: Clean and Verify

Remove all persistence mechanisms identified in Step 2. Revert ACL changes, delete rogue GPOs, remove unauthorized group memberships.
Rebuild compromised machines from clean media. Do not trust a compromised system that has been "cleaned." Wipe and rebuild.
Run BloodHound again. Compare the post-remediation graph against the pre-remediation snapshot. Every attack path that existed before should be closed.
Verify replication health. Run repadmin /replsummary and dcdiag /v on every DC. Credential resets can surface latent replication issues.
Monitor aggressively for 30 days. Watch for the attacker attempting to return. Key indicators: new privileged logons from unexpected sources, new service accounts, DCSync attempts (4662 with Replicating Directory Changes), and TGT requests for recently-reset accounts from unexpected IPs.

What Gets Missed

The Entra Connect sync account. I see this missed in about half the evictions I review. If the attacker has the sync account credentials, they can reset cloud-only passwords, including Global Admin accounts that were never synced from on-prem. Check Entra ID sign-in logs for the sync account and verify no unauthorized password resets occurred.

Trust relationships. If the compromised domain has trust relationships with other domains, the attacker may have already pivoted. Check SID History for cross-domain privilege escalation.

Backup systems. If the attacker compromised backup infrastructure, they may have copies of the AD database (ntds.dit) that contain all password hashes. Rotate every credential, not just the ones you know were accessed.

The measure of a successful eviction is not that the attacker is gone today. It is that they cannot return tomorrow. Every persistence mechanism must be found and removed. Every credential must be rotated. Every attack path must be closed. If you skip any of these, you are not evicting. You are hoping.

Post-Compromise AD Recovery: The Eviction Playbook Nobody Gives You

Before You Touch Anything: Preserve Evidence

Step 1: Identify What Was Compromised

Step 2: Check for Persistence Before Resetting Credentials

Step 3: Reset Credentials in the Right Order

Step 4: Clean and Verify

What Gets Missed

Ed Truderung, SSCP

BloodHound for Defenders: Using Attack Path Analysis to Find Your AD Gaps

AdminSDHolder, SDProp, and Protected Users: The AD Controls Nobody Configures Right

The Event IDs That Actually Matter for Identity Threat Detection