Details

• ID: CM0033
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Refresh
• Status: Active

Intended Outcome

Resetting user account passwords restricts adversary persistence and lateral movement using valid accounts.

Introduction

No introduction content identified.

Preparation

• Configure environment to support self-service password reset (SSPR) for users.
• Develop standard operating procedures (SOPs) when pushing out mandatory password resets to affected accounts. Instructions should include guidance for alerting users and instructions on self-service password resets.
• Ensure a means of attestation is defined to verify the veracity of users requiring a manual password reset.

Risks

• This countermeasure may have impacts that disrupt operations.
• Organization's helpdesk may be inundated with assistance reset if a password reset is pushed. Staging the password reset will mitigate the burden on both users and service desk technicians.
• Reducing the password expiration age or gradually resetting passwords for user accounts in timed batches, while often necessary, will risk the adversary maintaining authenticated sessions until the hijacked account's password is reset.
• Remote users may be unable to fulfill their job responsibilities until they reset their password and successfully authenticate on the domain.
• Adversaries that manage to exfiltrate the Active Directory Directory Services (AD DS) database or are abusing the SSPR may be able to re-establish initial access or persistence via SSPR.

Guidance

• Post-breach, configure domains to request password resets for user accounts.
• For onsite users with direct access to domain controllers, password resets can be performed in batches by resetting passwords by organizational units and leveraging the "User must change password at next logon" PowerShell flag.
• Alternately, Fine Grained Password Policies (FGPP) and reducing password age through domain policy modifications may facilitate mass password resets of user accounts.
• For hybrid organizations using Microsoft Entra ID, administrators may use Microsoft Graph to set user attributes to either "forceChangePasswordNextSignIn" or "forceChangePasswordNextSignInWithMfa."
• Ensure compliance with best practices, to include:
• Salting passwords
• Increasing password length and complexity
• Prevent password reuse

References

• Digital Identity Guidelines | https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
• Set the password expiration policy for your organization | https://learn.microsoft.com/en-us/microsoft-365/admin/manage/set-password-expiration-policy