Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / ForceChangePassword

Response

Cleanup:

$OldPassword = ConvertTo-SecureString 'StudentPass2026!' -AsPlainText -Force
Set-ADAccountPassword -Identity 'dylan.brooks' -Reset -NewPassword $OldPassword

Primary detection:

4724 - An attempt was made to reset an account's password

Useful follow-up:

4738 - User account changed
4624 - Successful logon after reset
4648 - Explicit credentials used
4672 - Special privileges assigned

Hunt for password resets by unexpected users, resets against service or privileged accounts, and immediate authentication after a reset.

Remediation:

  • remove unnecessary password reset delegation
  • restrict helpdesk reset rights to approved OUs
  • monitor resets of service and privileged accounts
  • rotate any account reset during an incident
  • review AdminSDHolder-protected accounts separately