RP0009: Compromised active directory account
Summary
| ID | RP0009 |
|---|---|
| Brief Description | Compromised active directory account |
| Author | @SEC |
| Creation Date | 2023/05/20 |
| Modification Date | 2023/05/20 |
Workflow
Playbook Actions
Preparation
Operational Preparations
Check Monitoring Toolset
Make Sure All Hosts Get Setting On Same Ntp
Prepare Network Activity Profiles
Prepare Process Activity Profiles
Containment
Block User Account
Block domain user account via Powershell
Eradication
Reset Authentication Credentials
Revoke Authentication Credentials