You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/recover-from-identity-compromise.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -232,7 +232,7 @@ We recommend the following actions to ensure your general security posture:
232
232
233
233
-**Ensure that your organization has extended detection and response (XDR) and security information and event management (SIEM) solutions in place**, such as [Microsoft Defender XDR for Endpoint](/microsoft-365/security/defender/microsoft-365-defender), [Microsoft Sentinel](../../sentinel/overview.md), and [Microsoft Defender for IoT](../../defender-for-iot/organizations/index.yml).
@@ -269,7 +269,7 @@ This section provides possible methods and steps to consider when building your
269
269
> [!IMPORTANT]
270
270
> The exact steps required in your organization will depend on what persistence you've discovered in your investigation, and how confident you are that your investigation was complete and has discovered all possible entry and persistence methods.
271
271
>
272
-
> Ensure that any actions taken are performed from a trusted device, built from a clean source. For example, use a fresh, privileged access workstation.
272
+
> Ensure that any actions taken are performed from a [trusted device](/security/privileged-access-workstations/privileged-access-devices), built from a clean source. For example, use a fresh, [privileged access workstation](/security/privileged-access-workstations/privileged-access-deployment).
273
273
>
274
274
275
275
The following sections include the following types of recommendations for remediating and retaining administrative control:
@@ -323,7 +323,7 @@ In addition to the recommendations listed earlier in this article, we also recom
323
323
|---------|---------|
324
324
|**Rebuild affected systems**| Rebuild systems that were identified as compromised by the attacker during your investigation. |
325
325
|**Remove unnecessary admin users**| Remove unnecessary members from Domain Admins, Backup Operators, and Enterprise Admin groups. For more information, see Securing Privileged Access. |
326
-
|**Reset passwords to privileged accounts**| Reset passwords of all privileged accounts in the environment. <br><br>**Note**: Privileged accounts are not limited to built-in groups, but can also be groups that are delegated access to server administration, workstation administration, or other areas of your environment. |
326
+
|**Reset passwords to privileged accounts**| Reset passwords of all [privileged accounts](/security/privileged-access-workstations/overview) in the environment. <br><br>**Note**: Privileged accounts are not limited to built-in groups, but can also be groups that are delegated access to server administration, workstation administration, or other areas of your environment. |
327
327
|**Reset the krbtgt account**| Reset the **krbtgt** account twice using the [New-KrbtgtKeys](https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1) script. <br><br>**Note**: If you are using Read-Only Domain Controllers, you will need to run the script separately for Read-Write Domain Controllers and for Read-Only Domain Controllers. |
328
328
|**Schedule a system restart**| After you validate that no persistence mechanisms created by the attacker exist or remain on your system, schedule a system restart to assist with removing memory-resident malware. |
329
329
|**Reset the DSRM password**| Reset each domain controller’s DSRM (Directory Services Restore Mode) password to something unique and complex. |
0 commit comments