PASSWORD RESETS ALONE WON'T STOP AD BREACHES

When Active Directory accounts are compromised, organizations typically reset passwords as a first response. However, this standard remediation step has a critical weakness: attackers can remain authenticated through cached credentials and Kerberos tickets. Cached credentials—stored locally on machines—remain valid even after a password reset, allowing attackers to maintain access on previously compromised endpoints. Similarly, Kerberos tickets issued before the password change continue to function until they expire, which can take hours or days depending on configuration. Specops Software notes that attackers leveraging these mechanisms can operate undetected within the network despite password changes. Organizations need additional steps beyond resets to fully remediate breaches, including invalidating active sessions, clearing cached credentials across affected systems, and reviewing Kerberos ticket-granting tickets. The findings underscore that comprehensive incident response requires multiple layers of action rather than relying on password resets as a standalone solution.