How to clean out golden tickets after a succesful attack on your active directory

If an attack made it into your active directory‍ environment and got a golden ticket‍, there is a specific set of steps you need to take to make sure you've cleaned out the adversary:

1. Disconnect the affected networks. Entirely.
2. Remediate any persistence mechanisms left behind
3. Reset passwords of ALL high privileged access accounts
4. Reset passwords of all VPN access credentials (+other remote access you may have)
5. Change the krbtgt‍ hash using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)
6. Wait minimum 10 hours
7. Change the krbtgt hash again using https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 run in it the order of using first option 1, then option 2 and then option 3: (https://cdn-images-1.medium.com/max/1000/1*Gk48jksjPuThTrPnJNHW-w.png)