Mass Credential Reset and Session Invalidation

EradicationP190 min
🔑 Credential Theft🔒 Ransomware☁️ Cloud & Identity Compromise
IR AnalystSwitch roles in the top navigation to see different perspectives.

Reset all compromised credentials, invalidate active sessions, and rotate service account passwords. For Active Directory environments, perform krbtgt double-reset to invalidate all Kerberos tickets.

Actions

  1. 1.Reset passwords for all confirmed compromised accounts. Use strong, unique passwords: `Set-ADAccountPassword -Identity USERNAME -Reset -NewPassword (ConvertTo-SecureString "NEW_COMPLEX_PASSWORD" -AsPlainText -Force)`.
  2. 2.Perform krbtgt account double-reset (with 12+ hour gap between resets) to invalidate all Kerberos tickets: `Reset-KrbtgtKeyInteractive` or manual: `Set-ADAccountPassword -Identity krbtgt -Reset`. Document reset times.
  3. 3.Revoke all cloud sessions: `Revoke-AzureADUserAllRefreshToken -ObjectId USER_OBJECT_ID` for each compromised user. Also revoke OAuth app consents: `Remove-AzureADOAuth2PermissionGrant`.
  4. 4.Rotate all service account passwords and API keys that may have been exposed. Check for stored credentials in scripts, Group Policy Preferences, and configuration files.
  5. 5.Reset machine account passwords for compromised systems: `Reset-ComputerMachinePassword -Server DOMAIN_CONTROLLER`.

Queries

IdentityInfo | where AccountName in~ (COMPROMISED_ACCOUNTS) | project AccountName, AccountDomain, IsAccountEnabled, PasswordLastSet, LastLogonTimestamp // Verify account status
SigninLogs | where TimeGenerated > ago(1h) | where UserPrincipalName in~ (RESET_ACCOUNTS) | where ResultType == 0 | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location // Monitor for successful logins after reset (should be none)
AuditLogs | where TimeGenerated > ago(24h) | where OperationName == "Reset password" or OperationName == "Change password" | project TimeGenerated, InitiatedBy, TargetResources | order by TimeGenerated desc // Track password resets

Notes

  • The krbtgt double-reset must be done with a 12-24 hour gap between resets. The first reset invalidates current tickets; the second reset after the gap ensures the old key is fully purged from AD replication.
  • Monitor for failed authentication attempts after credential reset -- this may indicate additional compromised accounts or attacker attempts to regain access.