Why Changing Passwords Doesn’t End an Active Directory Breach
Summary
Changing a password after an Active Directory breach may not be enough to remove attackers. Attackers can maintain access through cached credentials and Kerberos tickets even after a password reset.
IFF Assessment
FOE
This article details a method by which attackers can maintain persistence in an environment even after a common defensive measure like a password reset, representing a significant challenge for defenders.
Defender Context
Defenders need to be aware that password resets alone are insufficient to remediate Active Directory breaches. Implementing more robust detection and response mechanisms, such as monitoring for anomalous Kerberos ticket usage and identifying the presence of lingering administrative tools or unauthorized service accounts, is crucial.