Reset Credentials for Local Administrator Accounts Twice (CM0126)

In Playbook

Details

  • ID: CM0126
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Refresh
  • Status: Active

Intended Outcome

Resetting credentials for local administrator accounts twice blocks or prevents an adversary's initial access and persistence via local administrator accounts.

Introduction

Changing credentials of privileged accounts can remove adversary footholds in the network, but some operating systems store hashes of both the current and previous passwords. To flush all compromised credentials, two resets are required. Adversaries may use pass-the-hash or ticket attacks to grab hashes and continue authenticating even through a password reset.

Preparation

  • Identify all local administrator accounts.
  • Identify the organization's password policy.

Risks

  • Lockout of local adminstrative accounts is likely if proper documentation of password resets is not conducted or policy is not followed.

Guidance

The password does not need time to replicate through the network and resets can be done right after the other.
  • Reset the password manually for all local administrator accounts. This can be done via PowerShell:
    • The `net user <username> *` command prompts a reset for the provided account. The command must be run on the machine that has the account.
    • If Local Administrator Password Solution (LAPS) is enabled, the `Reset-LapsPassword []` cmdlet will immediately reset the password of the account.
  • Via the Microsoft Entra administrator center:
    • Navigate to `Identity > Users > All users` and select the account of the local administrator.
    • Select `Reset Password`.

References

  • ID: CM0126
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Refresh