Title Revoke authentication credentials
ID RA4601
Description Revoke authentication credentials
Author @atc_project
Creation Date 2019/01/31
Category Identity
Stage RS0004: Eradication


On this step, you supposed to know what kind of credentials have been compromised/you would like to revoke.
You need to revoke them in your Identity and Access Management system where they were created (i.e. Windows AD) using native functionality.


  • If the adversary has generated Golden Ticket in Windows Domain/forest, you have to revoke KRBTGT Account password twice for each domain in a forest and proceed to monitor malicious activity for next 20 minutes (Domain Controller KDC service doesn’t perform validate the user account until the TGT is older than 20 minutes old)