Active directory password rotation can be subverted to keep NHI access

At a glance

What this is: This analysis shows how Active Directory password rotation for machine accounts and managed service accounts can be manipulated to preserve non-human identity access.

Why it matters: It matters because IAM teams that rely on rotation alone may miss the trust, time, and lifecycle weaknesses that let compromised NHIs remain active.

By the numbers:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

👉 Read Silverfort's analysis of Active Directory password rotation abuse

Context

Active Directory password rotation is a control for non-human identities, but it only works when the underlying state changes are trusted and synchronised. In this case, attackers can interfere with the rotation mechanism itself, either by modifying machine-account passwords directly or by manipulating time so scheduled rotations do not take effect as intended.

That creates a governance problem for IAM and NHI programmes: the control exists, yet the assurance fails at the identity-state layer. Teams that treat rotation as a finish line need to think about time integrity, account ownership, and monitoring of password-state drift as part of the same control family.

Key questions

Q: What breaks when Active Directory password rotation is tampered with?

A: Rotation stops being evidence that the credential lifecycle is controlled. If an attacker can change the password directly or interfere with time, the account may stay valid while the legitimate host falls out of sync. That creates persistence, possible privilege escalation, and a false sense of security around a control that no longer proves enforcement.

Q: Why do machine and service accounts create persistence risk in Active Directory?

A: They often rely on automated lifecycle processes that administrators assume are stable and predictable. If those processes can be manipulated through protocol abuse or time drift, the credential can remain usable beyond its intended window. The risk is not the account type alone, but the trust placed in its rotation machinery.

Q: How do security teams know if NHI rotation is actually working?

A: They need evidence that the credential state changed on schedule and that the change propagated correctly across the systems that depend on it. That means checking password history, rotation logs, time synchronisation health, and any unexpected direct modifications. A successful policy is one that leaves no unexplained state mismatch behind.

Q: Who is accountable when time manipulation keeps an NHI alive longer than intended?

A: Accountability usually spans identity operations, domain administration, and infrastructure teams because the failure crosses authentication, time, and lifecycle control boundaries. Organisations should define who owns password enforcement, who monitors clock integrity, and who responds when those controls diverge. Without that split, the incident sits in a governance gap.

Technical breakdown

Machine account rotation depends on trusted state synchronisation

Machine accounts in Active Directory normally rotate their passwords through the local operating system, which then updates the directory over RPC. That process depends on both sides holding the same password state. If an attacker changes the password directly in AD through privileged protocol abuse, the domain-joined host and the directory diverge. The account may remain valid in the directory while the legitimate machine loses synchronisation, creating a persistent foothold that is hard to spot through ordinary rotation checks alone.

Practical implication: monitor for password-state mismatch and direct account modification rather than assuming scheduled rotation proves control health.

Managed service account rotation can be delayed through time manipulation

Managed service accounts rely on the domain controller to enforce password changes using timestamps such as PwdLastSet. If an attacker can alter system time on the controller or influence synchronisation, the rotation schedule can be pushed forward or backward without changing the policy itself. Because Kerberos and domain time are tightly linked, this attack can preserve authentication continuity while silently extending credential validity. The issue is not weak encryption alone, but the dependence of rotation on accurate, trusted time.

Practical implication: treat authenticated time synchronisation and clock-change detection as part of NHI control assurance.

Rotation control is bypassed when attackers control the credential state itself

The deeper failure is that rotation assumes the credential lifecycle is still owned by the platform. When attackers can directly modify a machine account password or manipulate the timestamp that governs the next change, they are no longer breaking the control from outside. They are hijacking the control path. That turns a protective mechanism into a persistence enabler, because the account continues to appear legitimate even as the enforcement logic is no longer trustworthy.

Practical implication: alert on unexpected password-change events and abnormal PwdLastSet patterns across machine and service accounts.

Threat narrative

Attacker objective: The attacker wants to keep a non-human identity usable for continued access while avoiding the normal expiry and rotation controls that should force loss of access.

1. Entry occurs through access to a machine account, a service account, or a position that lets the attacker interfere with directory or time-state mechanisms.
2. Escalation happens when the attacker either changes the password directly through account-management protocols or manipulates time so rotation is deferred while valid authentication continues.
3. Impact is long-term persistence with stealthy access, plus possible privilege escalation and operational disruption as domain trust becomes inconsistent.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Scheduled NHI rotation is only a control if the actor cannot tamper with the control plane. This article shows that Active Directory password rotation assumes the directory, the client host, and the clock remain aligned. Once an attacker can alter password state or time state, the rotation policy still exists but no longer governs reality. The implication is that NHI governance must treat time integrity and account-state integrity as first-class assurance inputs.

Standing credential persistence is the real failure mode, not weak rotation cadence. The problem is not that passwords fail to change eventually, but that attackers can preserve a machine or service account beyond its intended lifecycle. That is a lifecycle governance failure under OWASP-NHI and NIST CSF, because the account outlives the assurance that originally justified its access. Practitioners should read this as a reminder that rotation without trust in enforcement is administrative theatre.

Identity blast radius grows when machine accounts and service accounts share the same trust assumptions. Machine accounts, MSAs, and gMSAs all depend on state that can be manipulated if an attacker reaches the right control surface. The difference is not just account type, but who owns rotation and what telemetry proves it happened. IAM teams should use this as a boundary test for where control ownership ends and operational monitoring must begin.

Time integrity is an identity control, not just an infrastructure concern. The article makes clear that if the domain controller’s time can be shifted, password policy enforcement can be shifted with it. That means NHI governance cannot separate authentication from time synchronisation when access decisions depend on timestamps. Practitioners should treat clock tampering as an identity event because it can directly extend credential validity.

Direct password modification turns lifecycle management into a false assurance if no one watches the state transition. The control premise behind rotation is that the old secret is replaced under policy and the old path is retired. If the attacker can change the password through the same authority path or move the clock so the new state never expires as expected, the lifecycle never really completes. Teams should recognise this as a control-path compromise, not merely a missing alert.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• In our 2024 Non-Human Identity Security Report, only 19.6% of security professionals expressed strong confidence in their organisation's ability to securely manage non-human workload identities.
• For a broader view of lifecycle failure patterns, see 52 NHI Breaches Analysis for recurring identity control breakdowns.

What this signals

Identity governance teams should treat time integrity as part of credential lifecycle assurance. When password rotation depends on trusted timestamps, any drift or tampering can extend the life of a credential beyond policy intent. That means the operational signal to watch is not just whether a rotation job ran, but whether the state that controls expiry stayed trustworthy throughout the cycle.

Standing credential risk does not disappear because a policy says rotation exists. The programme question is whether the identity can still be used after the control is supposed to have expired it. If your monitoring cannot reconcile local state, directory state, and time state, then you do not have assurance, only expectation.

The control boundary now includes domain time, password history, and delegated account administration. Teams should be ready to connect identity telemetry to infrastructure telemetry, because credential persistence often starts where those two domains overlap.

For practitioners

• Validate password-state integrity, not just rotation policy Compare directory state, local host state, and PwdLastSet timing for machine and service accounts. Investigate any account whose password-change history does not match the expected rotation cadence or whose state changes occur without a corresponding administrative workflow.
• Monitor time changes as identity events Correlate Event ID 4616 with authentication and password-change activity on domain controllers and critical hosts. Treat unexpected clock adjustments, drift, or backward jumps as a sign that rotation enforcement may have been manipulated.
• Reduce direct control paths over non-human credentials Limit who can modify machine account and managed service account passwords, and review any delegated administration that can reach password-setting or time-setting functions. Separate operational convenience from control authority wherever possible.
• Harden domain time synchronisation Use authenticated time sources and review whether domain controllers can be influenced through unauthenticated NTP paths. If time is part of your password-enforcement logic, it deserves the same monitoring discipline as the account itself.

Key takeaways

• Active Directory password rotation can be subverted when attackers tamper with the password state or the time state that enforces expiry.
• The evidence points to persistence risk, not just a policy gap, because compromised machine and service accounts can remain usable while appearing legitimate.
• The control that matters is not rotation alone but verified enforcement across password history, time synchronisation, and delegated account modification paths.

Key terms

• Machine Account Password Rotation: The automated process that changes a domain-joined computer’s password at regular intervals. In practice, the control only works if the local host and directory remain in sync and the rotation event is trustworthy. If either side is manipulated, the account can stay valid longer than intended.
• Managed Service Account: A non-human identity designed to run services and applications with managed password changes handled by the domain controller. It reduces manual secret handling, but it still depends on time, directory state, and correct delegation. If those assumptions fail, the lifecycle control can be bypassed.
• PwdLastSet: An Active Directory attribute that records when a password was last changed. It is used to enforce expiration and rotation logic, so any manipulation of that timestamp can delay or distort the control. Security teams should treat it as evidence, not as proof of compliance by itself.
• Time Synchronisation Integrity: The condition in which clocks across the domain are accurate, trusted, and resistant to tampering. For identity systems, time is part of access enforcement because many authentication and lifecycle rules depend on timestamps. If time is manipulated, credential validity can be extended without changing policy.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Silverfort: Microsoft’s built-in password rotation mechanism can be subverted to preserve NHI access. Read the original.