Impacket for Pentesters: Password Change Techniques
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
This article explains how Active Directory misconfigurations can be abused to forcibly reset user passwords with the Impacket toolkit. It focuses on the impacket-changepasswd utility, which can leverage the Reset Password ACE to enable account takeover. The technique supports several protocols, including SMB-SAMR, RPC-SAMR, LDAP, and Kerberos.
Investigation
The report presents a lab scenario in which one user is granted Reset Password rights over another account object. It walks through multiple authentication approaches, including plaintext credentials, Pass-the-Hash, Pass-the-Key, and Kerberos TGT cache usage, to manipulate account passwords across different protocols.
Mitigation
Defenders should routinely audit Active Directory ACLs with tools such as BloodHound to identify overly permissive Reset Password rights. Applying a tiered administration model and using the Protected Users security group can significantly reduce exposure. Enforcing LDAP signing and deploying Credential Guard are also recommended.
Response
If suspicious activity is detected, security teams should investigate Windows Event IDs 4723, 4724, 4738, 4771, and 5136. Analysts should confirm whether the password reset was authorized and review the environment for unusual SAMR traffic or LDAP directory changes. Immediate actions should include auditing the permissions of the affected account and rotating credentials for any potentially compromised administrative users.
Attack Flow
We are still updating this part. Sign up to get notified
Notify MeSimulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has successfully compromised a user account with delegated permissions or has escalated privileges to a Domain Admin level. To ensure long-term persistence and avoid detection during a later phase of the operation, the attacker decides to reset the password of a known service account. By using native PowerShell tools (
Set-ADAccountPasswordornet user), the attacker attempts to change the password ofService_SVC. This action is a classic “Living off the Land” technique, designed to blend in with routine administrative tasks, yet it triggers specific Windows Security Event IDs (4724/4738) that the detection rule is designed to catch. -
Regression Test Script:
# Simulation Script: Password Reset via PowerShell # Note: This must be run in a controlled lab environment with appropriate permissions. $TargetUser = "Service_SVC" Write-Host "[*] Checking if target user exists..." -ForegroundColor Cyan if (Get-ADUser -Filter "SamAccountName -eq '$TargetUser'") { Write-Host "[+] Target user $TargetUser found. Proceeding with password reset simulation..." -ForegroundColor Green # Generating Event ID 4724 / 4738 try { $NewPassword = ConvertTo-SecureString "SimulatedPass123!" -AsPlainText -Force Set-ADAccountPassword -Identity $TargetUser -NewPassword $NewPassword Write-Host "[+] SUCCESS: Password reset triggered. Check Security Logs for Event ID 4724/4738." -ForegroundColor Green } catch { Write-Host "[-] ERROR: Failed to reset password. Ensure you are running as an Admin/Authorized user." -ForegroundColor Red Write-Error $_ } } else { Write-Host "[-] ERROR: Target user $TargetUser not found. Please create the user first." -ForegroundColor Red } -
Cleanup Commands:
# Cleanup Script: Restore original state $TargetUser = "Service_SVC" $OriginalPassword = ConvertTo-SecureString "Original_Safe_Pass_2025!" -AsPlainText -Force Write-Host "[*] Restoring original password for $TargetUser..." -ForegroundColor Cyan Set-ADAccountPassword -Identity $TargetUser -NewPassword $OriginalPassword Write-Host "[+] Cleanup complete." -ForegroundColor Green