Why Changing Passwords Doesn’t End an Active Directory Breach

Source: BleepingComputer

Author: Sponsored by Specops Software

URL: https://www.bleepingcomputer.com/news/security/why-changing-passwords-doesnt-end-an-active-directory-breach/

ONE SENTENCE SUMMARY:

Password resets alone may not evict attackers in AD/hybrid Entra ID due to caching, sync delays, tickets, sessions, permissions.

MAIN POINTS:

1. Changing a password doesn’t instantly invalidate old credentials across all authentication paths.
2. Windows cached password hashes can allow offline logon using pre-reset credentials.
3. Hybrid setups add Entra ID synchronization delays where old passwords may still work.
4. Post-reset states vary depending on device reconnection and successful new logons.
5. Pass-the-hash attacks reuse captured hashes even after passwords are changed.
6. Kerberos tickets keep sessions alive without re-entering passwords after resets.
7. Service accounts’ long-lived, privileged credentials provide resilient attacker fallback access.
8. Golden and Silver Ticket attacks bypass password checks by forging Kerberos tickets.
9. ACL abuse and AdminSDHolder modifications can persist privileges despite password changes.
10. Effective eviction needs session termination, ticket purging, KRBTGT resets, rotations, and directory auditing.

TAKEAWAYS:

1. Treat password resets as one control within broader incident response, not final remediation.
2. Reduce reset-gap exposure by forcing sync and updating endpoint cached credentials.
3. Kick attackers out by terminating sessions and clearing Kerberos tickets on affected systems.
4. Rotate privileged and service-account credentials to remove reliable persistence mechanisms.
5. Audit AD changes—memberships, delegated rights, ACLs, privileged roles—to eliminate hidden backdoors.