CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Directory Persistence Risks Beyond Password Resets in Hybrid Environments

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Active Directory (AD) and hybrid Entra ID environments exhibit inherent credential caching and session mechanisms that allow attackers to maintain or re-establish access even after password resets. Windows systems locally cache password hashes for offline authentication, enabling pass-the-hash attacks if old hashes were previously captured. Kerberos tickets issued before a reset remain valid until their expiration, allowing continued access via active sessions. In hybrid deployments, password hash synchronization delays between AD and Entra ID can temporarily permit the use of old credentials. Attackers exploit these gaps by leveraging cached hashes, active Kerberos tickets, or forged tickets such as Golden or Silver Tickets, which are not invalidated by password changes. Additionally, privilege escalation or delegation through ACL modifications (including via AdminSDHolder) can create persistent backdoors unaffected by password resets.

Timeline

  1. 11.05.2026 16:53 1 articles · 2h ago

    Password resets fail to fully remove AD persistence without additional remediation

    Password resets in Active Directory and Entra ID environments do not immediately invalidate cached credentials, active Kerberos tickets, or forged authentication artifacts, enabling attackers to maintain or re-establish access. Attackers exploit local password hash caching, Kerberos ticket validity windows, and synchronization delays between AD and Entra ID to bypass password changes. Persistence also persists via privilege escalation through ACL or AdminSDHolder manipulation and service account credentials.

    Show sources
    Open in new tab

Information Snippets

  • Windows caches password hashes locally for offline authentication, meaning a password reset does not immediately invalidate the old hash on all endpoints.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources

  • In hybrid AD-Entra ID environments, password hash synchronization intervals may delay the propagation of new passwords to Entra ID, allowing the old password to authenticate temporarily.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources

  • Kerberos tickets issued before a password reset remain valid until expiration, enabling attackers with active sessions or ticket-forging capability (e.g., Golden Ticket) to bypass password changes.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources

  • Cached credentials can be exploited via pass-the-hash attacks if the old hash was previously captured, regardless of subsequent password changes.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources

  • Service accounts with long-lived passwords and elevated privileges are common persistence vectors, as their passwords are less frequently reset due to operational concerns.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources

  • Attackers can manipulate ACLs or AdminSDHolder to grant persistent rights, which survive password resets and allow re-entry even after credential rotation.

    First reported: 11.05.2026 16:53
    1 source, 1 article
    Show sources