Password Resets Alone Don’t Fully Lock Out Attackers in Active Directory
A password reset is a common first response to a suspected compromise, but it doesn’t immediately invalidate old credentials across all authentication paths in Active Directory (AD) or hybrid Entra ID environments. This gap where cached credentials, active sessions, or unsynchronized hashes remain valid creates opportunities for attackers to maintain access even after a reset.
The Password Reset Gap
After a password change, three scenarios can leave old credentials exposed:
- Updated cached credentials – If a user logs in with the new password while connected to AD, the local cache updates, invalidating the old hash.
- Stale cached credentials – If a device hasn’t reconnected to the domain, the old hash may still be usable for offline logon.
- Hybrid sync delays – In Entra ID environments, the new password may take minutes to sync, leaving the old one temporarily valid.
How Attackers Exploit the Gap
- Cached credentials – Attackers use techniques like pass-the-hash to authenticate with stolen hashes, even after a password reset.
- Active sessions – Kerberos tickets remain valid until they expire, allowing attackers to retain access without re-entering credentials.
- Service accounts – Long-lived passwords on privileged service accounts are rarely reset, making them prime targets for persistence.
- Ticket attacks – Golden Ticket and Silver Ticket attacks bypass password changes entirely by forging Kerberos tickets.
- Permissions – Attackers can modify ACLs or AdminSDHolder to retain control, even if the original account is locked out.
Closing the Gap
To fully evict attackers, defenders must:
- Terminate active sessions – Force logoffs or reboots to clear Kerberos tickets.
- Rotate critical credentials – Reset service account passwords and clear cached credentials on endpoints.
- Audit AD changes – Review group memberships, delegated rights, and privileged accounts for unauthorized modifications.
- Reset the KRBTGT account – In severe breaches, resetting this account twice invalidates forged tickets.
While password resets are a necessary step, they must be paired with broader measures to ensure attackers lose all access. The window of exposure may be small, but it’s enough for determined adversaries to re-establish a foothold.
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-entra
"id": "mic1778509431",
"linkid": "microsoft-entra",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Organizations using Active Directory/Entra '
'ID'}],
'attack_vector': ['Pass-the-Hash',
'Kerberos Ticket Attacks',
'Service Account Exploitation'],
'description': 'A password reset is a common first response to a suspected '
'compromise, but it doesn’t immediately invalidate old '
'credentials across all authentication paths in Active '
'Directory (AD) or hybrid Entra ID environments. This gap '
'where cached credentials, active sessions, or unsynchronized '
'hashes remain valid creates opportunities for attackers to '
'maintain access even after a reset.',
'impact': {'identity_theft_risk': 'High (if credentials are exploited for '
'further attacks)',
'operational_impact': 'Attackers may retain access post-password '
'reset, leading to persistent compromise',
'systems_affected': ['Active Directory',
'Entra ID (Hybrid Environments)']},
'lessons_learned': 'Password resets alone are insufficient to fully evict '
'attackers in Active Directory environments. Additional '
'measures like session termination, credential rotation, '
'and KRBTGT resets are required to close persistence gaps.',
'post_incident_analysis': {'corrective_actions': ['Terminate active sessions',
'Rotate critical '
'credentials',
'Audit AD changes',
'Reset KRBTGT account'],
'root_causes': ['Cached credentials',
'Active Kerberos sessions',
'Hybrid sync delays',
'Service account persistence']},
'recommendations': ['Terminate active sessions and force logoffs/reboots to '
'clear Kerberos tickets.',
'Rotate service account passwords and clear cached '
'credentials on endpoints.',
'Audit AD for unauthorized changes to group memberships, '
'delegated rights, and privileged accounts.',
'Reset the KRBTGT account twice in severe breaches to '
'invalidate forged tickets.',
'Implement enhanced monitoring for AD changes and '
'suspicious authentication activity.'],
'response': {'containment_measures': ['Terminate active sessions',
'Force logoffs/reboots'],
'enhanced_monitoring': ['Audit AD changes (group memberships, '
'delegated rights, privileged accounts)'],
'remediation_measures': ['Rotate critical credentials (service '
'accounts)',
'Reset KRBTGT account twice',
'Clear cached credentials on '
'endpoints']},
'title': 'Password Resets Alone Don’t Fully Lock Out Attackers in Active '
'Directory',
'type': 'Credential Theft/Persistence',
'vulnerability_exploited': ['Cached credentials',
'Active sessions',
'Hybrid sync delays',
'Kerberos ticket persistence']}