KRBTGT - ethan's notes

KRBTGT is an account used for Microsoft’s implementation of [[Kerberos]], the default Microsoft Windows authentication protocol. # KRBTGT Account Password Rotation A stolen KRBTGT account password can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.^[[KRBTGT Account Password Reset Scripts now available for customers | Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/)] A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.^[[Active Directory Accounts | Microsoft Learn](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)?redirectedfrom=MSDN#krbtgt-account-maintenance-considerations)] ## PowerShell Script to Reset KRBTGT Account Password [(2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs « Jorge's Quest For Knowledge! (wordpress.com)](https://jorgequestforknowledge.wordpress.com/2018/12/30/PowerShell-Script-To-Reset-The-KrbTgt-Account-Password-Keys-For-Both-RWDCs-And-RODCs/) [microsoft/New-KrbtgtKeys.ps1: This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. (github.com)](https://github.com/microsoft/New-KrbtgtKeys.ps1) [Public-AD-Scripts/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1 at master · zjorz/Public-AD-Scripts (github.com)](https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1) ## Manually Reset the KRBTGT Password^[[AD Forest Recovery - Resetting the krbtgt password | Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password)] 1. Select **Start**, point to **Control Panel**, point to **Administrative Tools**, and then select **Active Directory Users and Computers**. 2. Select **View**, and then select **Advanced Features**. 3. In the console tree, double-click the domain container, and then select **Users**. 4. In the details pane, right-click the **krbtgt** user account, and then select **Reset Password**. ![Reset password](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/media/resetpass1.png) 5. In **New password**, type a new password, retype the password in **Confirm password**, and then select **OK**. The password that you specify isn't significant because the system will generate a strong password automatically independent of the password that you specify. # Golden Ticket Attacks [Golden Ticket attacks explained (quest.com)](https://blog.quest.com/golden-ticket-attacks-how-they-work-and-how-to-defend-against-them/)