Details

• ID: CM0050
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Refresh
• Status: Active

Intended Outcome

Reseting the Kerberos Ticket Granting Ticket (KRBTGT) password twice will terminate adversary credential access via Golden Ticket attacks.

Introduction

The KRBTGT account is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos ticket requests. The KRBTGT account's password should be reset twice as the account has a two-password history. Failing to reset KRBTGT twice risks another Domain Controller using an old password.

Preparation

• Verify AD Replication health status.
• Consult Microsoft Active Directory Forest Recovery Reset the krbtgt password. Available at <https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password>

Risks

• Resetting the KRBTGT account password will invalidate all AD dependent applications tickets. Non-windows clients may be unable to request new tickets until existing tickets expire.
• If the KRBTGT account password has never been rotated before, domains may experience replication issues due to KRBTGT account credentials utilizing outdated ciphers (such as DES or RC4).

Guidance

The first account reset for the KRBTGT needs to be allowed to replicate prior to the second reset to avoid any issues. Waiting at least 10 hours before performing a second reset will ensure the reset fully propagates within large AD environments. If the maximum lifetime for a user ticket or service ticket policy settings have been modified, the amount of time to wait should be more than the configured value.

Reset KRBTGT Password with PowerShell

The KRBTGT account password can be reset twice by using Microsoft's New-KrbtgtKeys script The script is available at <https://github.com/microsoftarchive/New-KrbtgtKeys.ps1>.Organizations using Read-Write Domain Controllers will need to run the script separately; once for Read-Write Domain Controllers and once for Read-Only Domain Controllers.

Reset KRBTGT Password with Administrative Tools

The KRBTGT account password can also be reset by using the Control Panel with Administrative Tools and resetting the password for the KRBTGT User account under Active Directory Users and Computers.

References

• Active Directory Forest Recovery Reset the krbtgt password | https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password
• FAQs from the Field on KRBTGT Reset | https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/faqs-from-the-field-on-krbtgt-reset/ba-p/2367838
• Practical Compromise Recovery Guidance for Active Directory | https://m365internals.com/2021/04/27/practical-compromise-recovery-guidance-for-active-directory/
• Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise | https://www.cisa.gov/news-events/analysis-reports/ar21-134a