Active Directory Investigation

Active Directory Investigation playbook provides tools and guidance to investigate changes and manipulation in Active Directory containers, ACLs, Schema, and objects. This playbook uses a 3rd party tool provided by Microsoft to scan the Active Directory access list, trees, and objects. Additional investigative information is provided for manual investigation.

Active Directory Query · 10 tasks · 0 inputs · 0 outputs

Commands used

ad-disable-account setIncident

Flowchart

yes Start Start Review the Active Directory AdminSDHolder permissions Review the Active Directo... Run the Active Directory ACL Scanner Run the Active Directory ... Review the Active Directory ACL Scanner report Review the Active Directo... Was a compromised account detected? Was a compromised account... Review the Active Directory event log Review the Active Directo... Remediate according to the Active Directory event log findings Remediate according to th... Done Done Disable compromised account in Active Directory - ad-disable-account Disable compromised accou... ad-disable-account Set Compromised users - setIncident Set Compromised users setIncident