Resetting passwords is typically the go-to reaction when a security breach is suspected. The logic is straightforward—changing login details rapidly blocks the intruder’s most direct way back into the system.
Yet, this step alone may not resolve the problem entirely. Within Active Directory (AD) and hybrid Entra ID setups, updating a password doesn’t instantly render the old one useless across every method of authentication.
Even a brief window gives potential attackers a chance to retain their access or regain entry.
For IT administrators and security planners, this vulnerability carries significant weight during breach management.
The password reset vulnerability
Windows PCs store password hashes locally so users can log in without a network connection. If a machine hasn’t touched the domain recently, it might still have the old login details stored in a functional format. In hybrid setups, there’s often a slight lag before the new password updates to Entra ID.
This situation creates three potential outcomes following a password change:
1. The user logs in using the new details while connected to AD. The local credential cache refreshes, nullifying the old hash.
2. The user hasn’t touched a specific machine since the password change. The old cached details might still work for some login attempts.
3. In hybrid configurations, the password was changed in AD but the new hash hasn’t yet reached Entra ID. The old password may still grant access until the synchronization process completes.
Verizon’s Data Breach Investigation Report reveals stolen credentials play a role in 44.7% of security breaches.
Effortlessly strengthen Active Directory with compliant password policies that block 4+ million compromised passwords, enhance security, and reduce support headaches!
Try it for free
How intruders exploit this vulnerability
Stored credentials
Intruder exploit stored password hashes through techniques such as pass-the-hash, where they use the hash directly without needing the actual password. If that hash was obtained before a password update, changing it doesn’t immediately deactivate it everywhere.
Minimizing this exposure is essential for protecting AD environments. Tools like Specops uReset allow secure self-service password resets by verifying user identity before proceeding, which helps prevent reset manipulation.
When used alongside the Specops Client, uReset can instantly refresh the local credential cache on the device used for the reset, eliminating the period where the old hash remains exploitable on that machine.
This doesn’t completely erase identity drift, but it significantly lowers risk at the network perimeter, where company laptops and remote devices are common targets.
Live sessions
AD authentication mainly relies on Kerberos tickets, which remain valid for a specific duration. If someone already possesses a compatible ticket—whether a legitimate user or an intruder—they can keep reaching resources without typing in a password again.
This means an intruder with a live session stays authenticated even after the password gets updated. Sometimes, this delay is long enough for them to set up deeper persistence or spread across the network.
Unless these sessions are deliberately shut down—through logging off, restarting, or removing tickets—access can persist far beyond the password change.
Service accounts
Unlike regular user accounts, service accounts frequently use passwords that rarely change, often carrying high-level privileges linked to crucial systems. Attackers can uncover these credentials via methods like Kerberoasting or stumble upon them while navigating through the network.
Since these accounts are connected to active services, they’re unlikely to be updated immediately, particularly if doing so risks downtime. That makes them a dependable backup option for attackers once their original entry point gets closed.
Ticket-based attacks
As discussed earlier, environments using the Kerberos authentication protocol grant access through tickets, not repeated password verification. If an intruder can forge these tickets, they don’t need legitimate credentials whatsoever.
A Golden Ticket attack, achieved by breaching the Kerberos Ticket Granting Ticket account, lets hackers create valid access tickets for any user in the domain. Silver Tickets are more focused, providing entry to particular services without needing to speak with a domain controller.
In either case, these methods completely bypass password updates. Changing user passwords won’t nullify forged tickets, and unauthorized access will persist until the root problem is fixed.
Permissions
AD operates largely through Access Control Lists (ACLs). If an intruder gives a compromised account (or a fresh one under their control) permissions like resetting other users’ passwords, they’ve effectively planted a hidden entryway. Even after the original password gets changed, those permissions remain intact.
Moreover, accounts safeguarded by AdminSDHolder (such as Domain Admins) adopt permissions from a particular template. An attacker who alters the ACL on the AdminSDHolder object can secure their permissions through SDProp, which re-applies them automatically every hour.
How to guarantee attackers are eliminated
The interval between a password update and its spread across AD and Entra ID is generally brief—just a few minutes—which greatly restricts the chance for attackers to exploit this gap. Triggering more frequent syncs is also an option, such as enabling AD Change Notification or manually starting a Sync to the Entra ID tenant.
Nevertheless, the gap persists, and by the time an account breach is spotted, attackers might have already carved out extra footholds. If password changes aren’t sufficient by themselves, defenders must ensure all access channels are shut.
First step: cancel everything currently in progress. Active sessions should be ended, and Kerberos tickets wiped by forcing logoffs or restarts on impacted systems. For severe breaches, resetting the KRBTGT account (twice) is typically required to invalidate forged tickets.
Next, expand credential cleanup beyond ordinary user accounts. Service account passwords need rotating, especially those with elevated rights, and any cached credentials on devices should be purged as machines reconnect.
Equally critical is auditing any changes within the directory. This involves checking:
- Group memberships
- Delegated permissions and ACLs
- Privileged accounts and roles
Search for anything that might enable access to be restored without depending on a password.
For significant breaches, no single measure ensures complete eviction. Effective removal combines session termination, credential rotation, and verification that no concealed entry points linger.
Protect your AD today
Reinforcing your AD demands every account to use strong passwords, paired with a secure reset process that minimizes opportunities for exploitation.
Specops assists with both tasks, ensuring your password changes actually improve security rather than create fresh vulnerabilities.
Book a demo to discover how our solutions can bolster your identity security approach.
Sponsored and written by Specops Software.
