Why Changing Passwords Doesn’t End an Active Directory Breach

Resetting compromised passwords fails to evict attackers from Active Directory environments because cached credentials and Kerberos tickets persist after password changes, according to Specops Software.

When an Active Directory account password resets, the change does not automatically invalidate existing authentication tokens. Attackers who have already obtained valid Kerberos tickets retain access to domain resources until those tickets expire. Kerberos tickets have standard lifetimes of 10 hours or longer depending on domain configuration. Cached credentials stored locally on compromised systems also remain valid after password resets, allowing attackers to maintain lateral movement capabilities across the network.

This creates a critical window of vulnerability for organisations responding to breaches. Security teams who discover compromised Active Directory accounts and immediately reset passwords believe they have severed attacker access. In practice, the attacker continues operating within the network using existing Kerberos tickets and cached credential material.

Attackers exploit this timing gap to move laterally, escalate privileges, and establish persistence mechanisms before defenders fully contain the breach. The attacker can access shared network resources, move between systems, and plant backdoors while detection tools still show the account as compromised only by the password reset metric.

Effective remediation requires additional steps beyond password reset. Organisations must revoke Kerberos tickets by resetting the krbtgt account password, which forces all Kerberos tickets to become invalid. Clearing cached credentials from affected workstations prevents attackers from using stored material. Session termination across all domain-joined systems removes active connections tied to compromised accounts.

Active Directory breaches demand comprehensive incident response that treats password reset as one step in a multi-layered containment strategy. Organisations using legacy detection approaches that rely solely on password metrics miss the window where attackers maintain full network access. Teams should implement concurrent actions including krbtgt resets, credential cache clearing, session term