Skip to content
/ krbtgt-reset Public

GPO configuration to reset the krbtgt password in a safe way and mitigate golden ticket impact

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

secbeard/krbtgt-reset

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
README.md
README.md
 
 
ScheduledTasks.xml
ScheduledTasks.xml
 
 
krbtgt_reset.ps1
krbtgt_reset.ps1
 
 

Repository files navigation

krbtgt-reset

GPO configuration to reset the krbtgt password in a safe way and mitigate golden ticket impact. This script ensures the KRBTGT password is updated securely and consistently across the domain, while also checking for replication issues and logging relevant events.

Does not required a user account as the task will be executed with SYSTEM privilege on a domain controller. It is scheduled by GPO and applied to the domain controllers OU, but only the DC with the PDC FSMO role will execute the task.

Instructions: All operation requires domain admins privilege. The script file should be stored in a location that is only writeable by domain admins. Since the SYSVOL exists for that purpose and it is replicated, we will use this.

*** Always use the DFS name of the sysvol for the script location ***

In the screen capture, the path is WRONG as it is using the server name path:

\\lab1-dc1.lab1.local\netlogon\...

It should be domain FQDN only:

\\lab1.local\netlogon\..

You can adapt the script to your kerberos lifetime, by default it is 10 hours. The current configuration prevent a password change within 12 hours of the last password set time via the variable:

$krbTGTMinTime = (Get-Date).AddHours(-12)

Copy the file to the NETLOGON folder.

image

Create a new GPO under the Domain controllers OU.

image

Disable the User configuration as only computer related settings are implemented.

image

Create a scheduled task in the Preference section of Computer.

image

Set the task to run as SYSTEM and run with hih privileges whether user logged or not.

image

Create a trigger that will fits your needs, daily might be aggressive but I would recommend it if a breach is suspected.

Weekly for normal operations.

Daily for a breached or assumed breached scenario

image

For the actions section select start a program.

Command

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Arguments (replace with your script file location, use FQDN path if the location is on the network like the NETLOGON share).

-noprofile -noninteractive -windowstyle hidden -ep bypass -file "\\lab1-dc1.lab1.local\NETLOGON\krbtgt_reset.ps1"

image

Optionnaly you can add a check to make sure powershell is available.

"%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe"

image

Report of the GPO configuration for validations.

image

image

The logs are visible in the Event log under Application, here's a few examples:

Password change successful

image

Password is too recent to be changed

image

The DC is not the PDC

image

SHA256 for version 1:

f7019a195ec57068fdc8afdf60734ae8ac71609eb36aeecee8f28d896176925f krbtgt_reset.ps1

62271109dcd91ecdf7e84b8b0c73aa028f36272d352b42b96fb82faa81cbdf48 ScheduledTasks.xml

The password generation functions have been borrowed from:

https://github.com/microsoftarchive/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1

About

GPO configuration to reset the krbtgt password in a safe way and mitigate golden ticket impact

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages