Reset Password

Description

The Source security principal can reset the password of the Target, which allows it to authenticate as the Target using the new attributed password and benefit from the Target's privileges.

Resetting a password is not the same as changing a password, which anyone who knows the current password can do. A password change typically occurs when a password expires.

Exploitation

Attackers who compromise the Source security principal can reset the password of the Target using native Windows commands such as "net user /domain", PowerShell such as "Set-ADAccountPassword -Reset", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.

Attackers then only have to authenticate to the Active Directory or the targeted resource using legitimate authentication methods with their new chosen password to impersonate fully the Target.

However, attackers do not usually know the previous password to revert to it after the attack. Therefore, the attack is often visible for the legitimate person behind the Target and can even cause a denial of service, especially for service accounts.

Remediation

IT administrators and helpdesk staff are legitimately allowed to reset passwords. But you must put in place the appropriate delegations to let them perform this action only within their allowed perimeter.

Also, according to the tiering model, you must ensure that a lower level staff such as a helpdesk for normal users cannot reset the password of a higher level account, such as a domain administrator, because this is an opportunity for privilege escalation.

To modify the Target's security descriptor and remove illegitimate permissions:

In "Active Directory Users and Computers", right-click Properties > Security.
Remove "Reset password" permission for the Source security principal.

Note: Do not confuse this permission with "Change password".