What causes Privileged account compromise?

Pass-the-hash / pass-the-ticket attack from a compromised tier-1 host • Mimikatz-style credential dump from memory of a domain controller (very late-stage) • Phished cloud admin without phishing-resistant MFA • Service account password leaked in documentation / scripts in repo

How do I resolve Privileged account compromise?

Disable / contain compromised account • Rotate krbtgt and other shared secrets • Inventory and clean privileged group membership • Reset trust in tier-0 — potentially rebuild affected DCs • Improve future posture (PAW, gMSA, just-in-time)

How do I prevent Privileged account compromise?

Tier 0/1/2 administrative model — strict separation • Privileged Access Workstations with no internet, locked-down baseline • FIDO2 / smartcard for all privileged accounts • gMSA for service accounts where supported • Just-in-time elevation (PIM) for cloud admin

P1 · Cyber Incident Response

Privileged account compromise

A domain admin / global admin / service account credential is suspected stolen. Treat as worst-case until evidence rules it out.

Indicators

Privileged account login from unexpected source / time / location
Mass changes or new admin objects created (rogue accounts, group additions)
krbtgt or DSRM password changed unexpectedly
Service account being used interactively
Shadow Copies / backups deleted

Likely causes

Pass-the-hash / pass-the-ticket attack from a compromised tier-1 host
Mimikatz-style credential dump from memory of a domain controller (very late-stage)
Phished cloud admin without phishing-resistant MFA
Service account password leaked in documentation / scripts in repo

Diagnostic steps

Disable the suspect account immediately on a clean tier-0 station. Do not log into a potentially compromised host with another privileged account
Audit logon events (4624/4625/4672) and look for the account's recent activity across all DCs
If domain admin compromise suspected: rotate krbtgt password TWICE, 24 hours apart (allows in-flight tickets to expire) — use Microsoft New-KrbtgtKeys.ps1
Inventory privileged group memberships (Domain Admins, Enterprise Admins, Schema Admins, etc.) — remove anything unexpected
Review service-account password storage — rotate any in scope; identify and replace with managed identities / gMSA where possible
Cyber-IR escalation if scope unknown — assume forest-wide compromise until proven otherwise

Resolution path

Disable / contain compromised account
Rotate krbtgt and other shared secrets
Inventory and clean privileged group membership
Reset trust in tier-0 — potentially rebuild affected DCs
Improve future posture (PAW, gMSA, just-in-time)

Prevention

Tier 0/1/2 administrative model — strict separation
Privileged Access Workstations with no internet, locked-down baseline
FIDO2 / smartcard for all privileged accounts
gMSA for service accounts where supported
Just-in-time elevation (PIM) for cloud admin

Tools

Privileged Access Workstation (PAW) — never reuse compromised station
PowerShell ActiveDirectory + Microsoft KrbtgtKeys script
AD audit log review (4624 logon types, 4672 special privilege)
BloodHound — map attack paths to privileged accounts
Defender for Identity — anomalous privileged behaviour detection

References

Microsoft — Reset the krbtgt account password
Microsoft — Securing privileged access (Tier model)
NCSC — Protecting privileged access

credential-compromiseactive-directorykrbtgtprivileged-accessincident-response