Ethical Hacking News
Recent research has revealed that password resets in Active Directory environments may not be enough to completely combat breaches. A new study by Specops Software highlights the risks and challenges associated with this approach, emphasizing the need for a multi-faceted security strategy to ensure attackers are removed from the system.
Password resets are not enough to completely prevent active directory breaches. Even after a password reset, there is still a window of vulnerability that attackers can exploit. Kerberos tickets pose a risk because they remain valid for a set period of time even if the user's password changes. Service accounts with long-lived passwords and elevated privileges are vulnerable to exposure through techniques like Kerberoasting or lateral movement. Access Control Lists (ACLs) can create backdoors if an attacker grants compromised accounts permissions, allowing them to maintain access even after the original password is changed. A multi-faceted approach is needed to remove attackers from the system, including terminating active sessions, clearing Kerberos tickets, and rotating service account passwords.
password resets are often considered a silver bullet to combat active directory breaches, but recent research has revealed that this approach may not be enough. A new study published by Specops Software highlights the risks and challenges associated with password resets in Active Directory environments.
The study reveals that while password resets can provide an initial layer of protection, they do not completely eliminate the risk of a breach. In fact, even after a password reset, there is still a window of vulnerability that attackers can exploit to maintain access or re-establish a foothold.
One of the primary reasons for this gap in security is the use of Kerberos tickets, which are valid for a set period of time. If an attacker already has a valid ticket, they can continue accessing resources without re-entering a password. This means that even after a password reset, access can continue well beyond the reset itself unless sessions are explicitly invalidated.
Another critical vulnerability is service accounts, which tend to have long-lived passwords and elevated privileges tied to critical systems. Attackers can expose these credentials through techniques like Kerberoasting or discover them when moving laterally through a network. Because these accounts are tied to running services, they're less likely to be reset quickly, especially if there's a risk of disruption.
Furthermore, Access Control Lists (ACLs) play a significant role in determining the level of access an attacker can gain within Active Directory environments. If an attacker grants a compromised account rights like resetting passwords for other users, they've effectively created a backdoor. Even if the original password is changed, those permissions remain.
To ensure that attackers are removed from the system, defenders need to take a multi-faceted approach. This includes terminating active sessions, clearing Kerberos tickets, and rotating service account passwords. It also involves reviewing what's changed in the directory itself, including auditing group memberships, delegated rights and ACLs, privileged accounts and roles.
In conclusion, while password resets are an essential part of incident response, they do not provide a complete solution to Active Directory breaches. Defenders need to understand the risks and challenges associated with these attacks and take a comprehensive approach to eliminate the window of vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unseen-Gaps-Understanding-the-Risks-Beyond-Password-Resets-ehn.shtml
https://www.bleepingcomputer.com/news/security/why-changing-passwords-doesnt-end-an-active-directory-breach/
Published: Mon May 11 09:18:01 2026 by llama3.2 3B Q4_K_M
