This note documents detection patterns related to ForceChangePassword within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4724 | An attempt was made to reset an account's password | Critical | Primary indicator of ForceChangePassword abuse. Review SubjectUserName (who reset) and TargetUserName (whose password was changed). |
| Security | 4738 | User account changed | High | May appear following password reset events depending on logging configuration. |
| Security | 4624 | Successful logon | High | Authentication from attacker host shortly after password reset. |
| Security | 4648 | Explicit credentials used | Medium | May appear if attacker uses runas or explicit credential authentication after reset. |
| Security | 4672 | Special privileges assigned | High | Privileged session after resetting privileged account password. |
| Sysmon | 1 | Process creation | Medium | Execution of PowerView, Impacket, or LDAP tooling performing password reset. |
| Sysmon | 3 | Network connection | Medium | LDAP or SMB connections to domain controller performing password change. |
| Security | 4738 | A user account was changed | High | Primary Indicator of user changes. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Password reset without helpdesk activity | Unexpected password reset event for user | Critical | Common indicator of privilege abuse. |
| Password reset of privileged accounts | Password reset for Domain Admin or service accounts | Critical | High likelihood of compromise. |
| Immediate authentication after password reset | Login activity following reset event | High | Attacker validating new credentials. |
| Password resets from unusual host | Reset initiated from workstation not normally administering AD | High | Potential attacker-controlled system. |
| Multiple password resets in short timeframe | Rapid resets across several accounts | Medium | Possible automated privilege escalation attempt. |
Common Tools
| Tool | Usage |
|---|---|
| PowerView | Uses Set-DomainUserPassword to reset passwords when ForceChangePassword is present. |
| Impacket net rpc password | Performs password reset via RPC. |
| Impacket smbpasswd | Changes account password remotely. |
| CrackMapExec | Automates password resets across hosts. |
| ADSI / LDAP tools | Direct attribute modification of password fields. |
Relevant Artifacts
- Domain controller Security logs (4724, 4738, 4624)
- LDAP modification logs
- Active Directory object metadata
- Sysmon logs (1, 3)
- EDR telemetry identifying AD manipulation tools
- Directory replication metadata
- Prefetch artifacts showing execution of PowerView or Impacket
- Authentication logs following password reset
MITRE ATT&CK References
- T1098 Account Manipulation
- T1078 Valid Accounts
- T1484 Domain Policy Modification
Decision Tree
- Is the suspicious event present?
- Identify password reset event (4724).
- What host generated the event?
- Determine workstation performing the reset.
- Is the account expected to perform this action?
- Investigate whether SubjectUserName normally resets passwords.
- Pivot:
- Source host → inspect execution of PowerView or Impacket tools.
- Target account → review privilege level and group membership.
- Network → analyze authentication attempts after reset.
- Confirm exploitation
- Determine whether attacker used ForceChangePassword permission to take over account.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4724
| project TimeGenerated, SubjectUserName, TargetUserName, IpAddress
SecurityEvent
| where EventID == 4624
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName
EQL
any where event.code == "4724"
Sigma
title: Suspicious Password Reset Activity
id: forcechangepassword-abuse-detection
status: experimental
description: Detects suspicious password reset events potentially indicating ForceChangePassword abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4724
condition: selection
fields:
- SubjectUserName
- TargetUserName
falsepositives:
- Legitimate helpdesk password resets
level: medium
tags:
- attack.privilege_escalation
- attack.t1098
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege review | Audit AD ACLs for ForceChangePassword permissions | Critical | Removes unnecessary password reset rights. |
| Least privilege | Restrict who can reset account passwords | High | Reduces privilege escalation paths. |
| Monitoring | Alert on password resets of privileged accounts | High | Detects takeover attempts quickly. |
| Helpdesk workflow | Use controlled password reset processes | Medium | Helps distinguish legitimate activity. |
| AD security review | Regularly review delegation permissions | High | Identifies risky configurations. |