Mass Credential Reset and Session Invalidation
Reset all compromised credentials, invalidate active sessions, and rotate service account passwords. For Active Directory environments, perform krbtgt double-reset to invalidate all Kerberos tickets.
Actions
- 1
Reset passwords for all confirmed compromised accounts. Use strong, unique passwords: `Set-ADAccountPassword -Identity USERNAME -Reset -NewPassword (ConvertTo-SecureString "NEW_COMPLEX_PASSWORD" -AsPlainText -Force)`.
- 2
Perform krbtgt account double-reset (with 12+ hour gap between resets) to invalidate all Kerberos tickets: `Reset-KrbtgtKeyInteractive` or manual: `Set-ADAccountPassword -Identity krbtgt -Reset`. Document reset times.
- 3
Revoke all cloud sessions: `Revoke-AzureADUserAllRefreshToken -ObjectId USER_OBJECT_ID` for each compromised user. Also revoke OAuth app consents: `Remove-AzureADOAuth2PermissionGrant`.
- 4
Rotate all service account passwords and API keys that may have been exposed. Check for stored credentials in scripts, Group Policy Preferences, and configuration files.
- 5
Reset machine account passwords for compromised systems: `Reset-ComputerMachinePassword -Server DOMAIN_CONTROLLER`.
Queries
IdentityInfo | where AccountName in~ (COMPROMISED_ACCOUNTS) | project AccountName, AccountDomain, IsAccountEnabled, PasswordLastSet, LastLogonTimestamp // Verify account status
index=wineventlog sourcetype=WinEventLog:Security EventCode=4724 OR EventCode=4723 earliest=T_START latest=T_END | stats count by Account_Name, TargetUserName, ComputerName | sort -count
index=wineventlog sourcetype=WinEventLog:Security EventCode=4625 TargetUserName IN ("RESET_ACCOUNT_1","RESET_ACCOUNT_2") earliest=-24h | timechart span=1h count by TargetUserName | sort -_timeSigninLogs | where TimeGenerated > ago(1h) | where UserPrincipalName in~ (RESET_ACCOUNTS) | where ResultType == 0 | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location // Monitor for successful logins after reset (should be none)
AuditLogs | where TimeGenerated > ago(24h) | where OperationName == "Reset password" or OperationName == "Change password" | project TimeGenerated, InitiatedBy, TargetResources | order by TimeGenerated desc // Track password resets
Notes
The krbtgt double-reset must be done with a 12-24 hour gap between resets. The first reset invalidates current tickets; the second reset after the gap ensures the old key is fully purged from AD replication.
Monitor for failed authentication attempts after credential reset -- this may indicate additional compromised accounts or attacker attempts to regain access.