
You've just survived a ransomware attack. Backups are restored, systems are back online, and the CEO is breathing again. But here's the uncomfortable truth: if you didn't clean up your credentials during recovery, you might be weeks away from the next one. Attackers love stale passwords. They leave backdoors in service accounts, dormant admin keys, and forgotten cloud tokens—all ready to be used again. This article walks through the hidden cost of skipping credential hygiene and what to do about it.
Why Credential Hygiene Is a Now Problem
The 2023 MGM Resorts lesson — a case in point
You probably remember the headlines: 10 days of chaos, slot machines going dark, hotel key systems offline, an estimated $100 million in losses. What most post-mortems gloss over is why the attackers got back in after the first wave of cleanup. MGM had rotated some credentials during the incident — but not the domain admin account that a partner vendor had been using since 2019. That stale ticket, still cached in a forgotten service account, became the re-entry vector. The ransomware crew didn’t need a new zero-day; they just replayed the same lateral-movement script. The first recovery felt like progress. The second infection felt like a betrayal of trust. That pattern — clean, then hit again within 90 days — is disturbingly common.
The tricky part is that credential neglect doesn’t scream “urgent” on a dashboard.
How reused admin creds enable re-infection
Imagine you’ve just spent 72 hours rebuilding domain controllers from bare metal. Exhausted, you promote a new DC, join it to the domain, and — because the old Kerberos keys were on a sticky note taped to a monitor — you set the same KRBTGT password. Wrong move. That single act lets attackers forge golden tickets from any machine on the rebuilt network. I have watched a forensic team trace a re-infection back to an NTLM hash that hadn’t changed since Windows Server 2008. The hash was still valid because nobody thought to reset every service account, not just the interactive logins. That oversight cost the company three more weeks of downtime and a second ransom demand — 40% higher than the first, since the attackers knew they were desperate.
Worth flagging — the business case for hygiene isn’t theoretical. A mid-market logistics firm we assisted had their backup admin account password unchanged for five years. The attacker dumped it from LSASS memory during the initial breach, encrypted the backups, then waited. When the IT team restored from an “isolated” snapshot, the same credential was inside the restored VM. Re-encryption happened in 37 minutes. The CFO later told me, “We paid twice because we saved five minutes not updating a password policy.” That stings.
The business case for hygiene: a cost you defer at your peril
Most teams skip this because credential rotation feels like busywork — a chore that delays “real” recovery. But here’s the math: a full password reset for every privileged account takes roughly four hours in a 500-seat environment. A second ransomware incident takes four weeks. The asymmetry is brutal. Yet I still see CISOs argue that rotating the built-in Administrator account is too risky during a crisis. “We might lock ourselves out,” they say. Valid fear — but locking yourself out is temporary. Leaving a reused admin credential in place is permanent. The attacker owns your next boot cycle.
What usually breaks first is the service account for the backup agent. It’s hard-coded into a config file nobody remembers writing. You restore from backup, the agent reconnects, and that same credential — unchanged — broadcasts to every domain controller: “I’m back, use me.” The ransomware’s C2 beacon sees it in under two minutes. That’s not a theory; that’s a log I reviewed last quarter. The takeaway? If you can’t prove every privileged credential was rotated after the restore, you haven’t recovered. You’ve just hit pause.
The Core Idea: Credential Hygiene in Plain Language
What credential hygiene actually means
Most teams hear 'credential hygiene' and think it means forcing a password change every 90 days. That's not the core problem. Credential hygiene, in plain language, is knowing exactly who has access to what—and proving that access is still needed right now. The tricky part is that hygiene is not a one-time cleanup. It's a live inventory you verify every time a recovery plan is tested. I have watched engineers spend three hours rebuilding a domain controller only to discover that the backup admin account they relied on was still using a service password decommissioned six months ago. That hurts. The password was technically correct; the access it represented was not.
Think of it this way: resetting a password is like changing the lock on a door you no longer own. You still own the door. Revoking the account is selling the door. The difference is subtle but brutal in a recovery scenario. When you reset a stale credential, the attacker might lose their current session key—but if the account itself was never removed from the domain admins group, they simply wait for the next sync or brute-force the new secret. Revocation severs the trust chain entirely. That's what hygiene actually buys you: not fresh passwords, but fresh trust boundaries.
Field note: data plans crack at handoff.
Field note: data plans crack at handoff.
Why it's more than password rotation
Password rotation culture has done real damage. It tricks teams into believing that changing a password every month is equivalent to security. It's not. Rotation without revocation is maintenance theatre. The catch is that attackers love rotated-but-alive accounts because they know the password will change on a predictable schedule—and they can simply re-harvest the new one if they still hold a foothold. Worth flagging: I once consulted on a recovery where the IT director proudly showed me their 30-day rotation policy. Their backup service account had been rotated twenty-three times. It had also been in the same privileged group for four years. The ransomware actors didn't care about the password; they cared about the group membership.
So what does real hygiene look like on a Tuesday morning? It means running an entitlement review—a spreadsheet or a script—that maps every credential to a human or a process, then answering one question: does this person or process still work here, still need this role, and is this the right account type for that role? Most teams skip this because it feels administrative and slow. Wrong order. Skipping it's what slows down recovery later, when you can't tell if a credential is a backdoor or a forgotten backup. The fastest recovery I ever witnessed started with a team that already had that spreadsheet. They revoked eighty accounts in the first hour. They restored production in nine.
'We thought hygiene was a pre-deployment chore. It turned out to be the only thing that kept our recovery plan from collapsing.'
— CISO, mid-market manufacturing firm, post-incident review
The blunt truth is that credential hygiene fails when it's treated as a checkbox for compliance. Compliance says 'rotate every 90 days'. Security says 'revoke what is unused every week'. The gap between those two interpretations is where ransomware recovery blind spots live. If your recovery plan lists credentials by their last password change date instead of their last access justification, you're planning to fail. Change that. Start with the revocation list, not the rotation calendar. That one shift alone can cut recovery time by days.
How Attackers Exploit Stale Credentials Under the Hood
Kerberos Ticket Reuse After Password Changes
Most teams assume a password reset cuts off access. Wrong order. The Kerberos ticket-granting ticket (TGT) issued before the reset can live on for hours — 8, 10, sometimes 16 depending on domain policy. An attacker who grabbed that TGT at 3 p.m. can still authenticate to services at 9 p.m., long after the help desk forced a change. I have watched DFIR reports where the initial foothold survived three password rotations simply because nobody cleared cached tickets on the domain controllers. The seam blows out when recovery teams validate user credentials against LDAP but forget that Kerberos trusts the ticket it already issued — until the TGT naturally expires or the krbtgt account itself is rolled.
The real trap: Microsoft's default ticket lifetime is 10 hours with no renewal required for the first 7 hours. That hurts. So an adversary with a stolen TGT can open new service tickets, access file shares, even launch lateral movement while the victim celebrates a successful password change. The fix is not just resetting passwords but invalidating all existing tickets — a command like klist -li 0x3e7 purge on domain controllers, or a forced krbtgt reset twice in a row. Most skip this. Recovery fails.
Service Principal Name Hijacking
Service Principal Names (SPNs) feel like plumbing — nobody looks at them until they leak. Attackers exploit stale SPNs by registering a computer account's old SPN onto a new machine under their control. That means when an application authenticates using Kerberos to what it thinks is a legitimate database server, it actually hands a ticket-granting encrypted hash to the attacker's box. The legitimate server got rebuilt during recovery, its SPN orphaned, and the adversary silently claimed it. We fixed this once by running setspn -Q */* across the domain mid-recovery and finding three orphaned SPNs pointing to servers that hadn't existed for two weeks.
The catch is that standard hygiene checklists rarely include SPN inventory. Teams focus on user passwords and forget machine accounts. An attacker can pivot from a hijacked SPN to golden ticket attacks — because once you control the SPN target, you can request a ticket encrypted with that machine's password hash. That hash, if weak or unchanged, becomes your entry to forge tickets. The pitfall: rebuilding a server without de-registering its SPN first is like changing the front door lock while leaving the back door wide open.
Cloud Session Tokens and Refresh Tokens
Cloud identity adds a nastier layer. Password resets in Azure AD or Entra ID don't automatically revoke session tokens or refresh tokens — unless you explicitly call the revocation API. An attacker who grabbed a refresh token before the reset can silently request a new access token hours later. That looks like legitimate traffic. No failed login alarm, no lockout. I have seen a recovery operation declare success, only to find the adversary re-authenticating via a stale refresh token to exfiltrate data the team had just restored.
Flag this for data: shortcuts cost a day.
Flag this for data: shortcuts cost a day.
What usually breaks first is the conditional access policy. Teams configure MFA after recovery but forget to apply a session control that forces token re-issuance on every authentication. So the token the attacker cached at 2 a.m. still works at 10 a.m. — password changed, but the bearer token is king. The pragmatic step: during recovery, run Revoke-AzureADUserAllRefreshToken or use the revokeSignInSessions Graph API call on every affected user. That one cmdlet can close a blind spot that weeks of log review might miss.
“We rotated every admin password, rebuilt the domain controllers — and the attacker still had a token from last Tuesday. That day I learned refresh tokens don't care about your password policy.”
— Incident responder at a mid-market recovery engagement, describing why their first attempt failed
The trade-off: aggressive token revocation can break legitimate scheduled tasks, service account flows, and delegated admin access. You trade a brief outage for killing the attacker's foothold. Worth it, but only if you test it before the breach hits. Most teams don't, and that derails recovery faster than any ransomware payload.
A Walkthrough: The Ransomware Recovery That Almost Worked
The Recovery That Almost Worked — Until It Didn’t
I watched a regional hospital’s IT team breathe a collective sigh of relief. They had scrubbed every infected server, rotated the domain admin password, and restored files from immutable backups. The ransomware was gone. Or so they thought. Forty-eight hours later, the same locker variant reappeared on a radiology workstation — mid-shift. That hurt. The root cause? A single stale credential they never touched: a service account created years earlier for a third-party imaging vendor, still tied to a domain admin group. The attackers didn’t break back in; they never left.
The tricky part is how this happens. Most recovery playbooks focus on the obvious — rotate the krbtgt account, reset built-in administrator passwords, reissue certificates. But credential hygiene isn’t a one-pass job. It’s a forensic audit of every identity that touched the environment in the last 12 months. The hospital team skipped that audit. They assumed the domain admin reset covered everything. Wrong order. Stale service accounts, forgotten local admin pairs, and orphaned cloud sync identities remain active — and undetected — until someone re-uses them. The imaging vendor’s account had a password set in 2019. It had never been rotated. Not once.
Step-by-Step: Where the Audit Failed
Start with the backup restore process itself. The hospital restored domain controllers from a clean snapshot — good practice. But they forgot one thing: the snapshot contained the same orphaned credential objects. Restoration doesn’t sanitize identity; it replicates it. So the old service account came back intact, with its unchanged password hash and its privileged group membership. The attacker’s beacon, dormant during the recovery window, simply woke up when the workstation reconnected to the domain. That was the seam — and it blew out completely.
What usually breaks first is the hidden domain admin account disguised as a local user. The hospital had one: a backup agent account with local administrator rights on every endpoint, including the imaging workstation. That account wasn’t in the domain admins group — it was nested inside a group that was a member of domain admins. Nested group membership. Classic blind spot. The recovery team ran a script to list all domain admins, saw only five names, and called it done. They never expanded the nesting. By the time they traced the lateral movement, the second encryption wave was 60% complete.
“We cleaned everything. We changed the kingdom’s locks. We forgot the servant had a skeleton key — and the skeleton was already inside the walls.”
— IT director, debrief session six weeks post-incident
The real lesson: recovery isn’t a reboot; it’s a credential census. Count every principal. Expand every group. Check every service principal name for password age. The hospital’s mistake wasn’t laziness — it was overconfidence in the domain admin reset. One account, one unrotated secret, and forty-eight hours of hard work evaporated. That’s the gap no backup alone can fill.
Flag this for data: shortcuts cost a day.
Flag this for data: shortcuts cost a day.
The Hidden Domain Admin Account — A Concrete Example
Most teams skip this: look for accounts with AdminCount=1 in Active Directory but no explicit membership in privileged groups. That anomaly often signals a former admin whose group membership was removed — but whose SID history still grants access. Or a service account that was added to a protected group, then removed manually, leaving a ghost privilege. The hospital had three such accounts. One was a decade-old SQL Server agent account. Its password had never changed. The attacker didn’t need to crack it — they already had the hash from the first encryption event. A credential replay attack, plain and simple. The fix? Rotate every password, not just the obvious ones. Force re-authentication for all service accounts. Then test: can any account from the pre-recovery epoch still authenticate? If yes, you’re not recovered. You’re just waiting.
Edge Cases: When Standard Hygiene Isn't Enough
Hybrid AD and Azure AD sync gaps
Most teams assume password resets in on-prem Active Directory flow cleanly to Azure AD. They don't. The sync interval runs every thirty minutes by default—or longer if you have a large forest. So here is the scenario: an attacker compromises a service account in on-prem AD, you rotate that password on the domain controller, and the change sits in a queue while the adversary already holds a cached token or a session cookie for the Azure AD side. That token doesn't check back with the on-prem directory until it expires. Days, sometimes. I have watched recovery teams declare credentials clean, only to find an attacker re-authenticating through an old refresh token that the sync never invalidated. The fix is ugly but necessary: force a full delta sync and revoke all Azure AD refresh tokens for the affected accounts—two separate actions, not one. Miss either, and the seam blows out.
Legacy application embedded passwords
Here is where standard hygiene flatly fails. A manufacturing client of ours ran a twenty-year-old ERP system that stored the domain admin password in plaintext inside a configuration file. No central credential manager, no vault—just a .ini file on a shared drive. When the ransomware hit, the incident response team reset every human account, every service account, even the built-in administrator. Clean slate, they thought. But that embedded password was never rotated because nobody remembered it existed. The attacker found it during the initial reconnaissance, used it to re-encrypt the file shares three days after the 'successful' recovery, and the business lost another week of production. The pitfall: credential hygiene procedures almost always target active accounts—stale, embedded, or hardcoded credentials in legacy apps, scripts, and scheduled tasks are invisible to a standard password reset drill. You have to audit the inventory of every application binary, every config file, every damned PowerShell script that contains a credential string. That's not hygiene; that's archaeology.
Third-party vendor credentials
The tricky part is external. Your vendor’s support portal, their remote monitoring tool, the backup console they manage—these rely on credentials you gave them six months ago. And you probably didn't change those during the recovery. Why would you? They're not your accounts. But attackers know this. They pivot from your environment into the vendor’s tool, grab that stored credential, and come back through the side door you left unlocked. One of the worst recoveries I saw involved a managed antivirus console: the vendor’s service account had local admin on every server, the password was last rotated when the account was created—three years prior—and the attacker used it to redeploy ransomware while the victim was still rebuilding domain controllers. Standard hygiene says 'reset all privileged accounts.' Standard hygiene forgets the ones sitting in a third-party vault, unchanged, untouched, deadly. Worth flagging—you can't force a vendor to rotate on your timeline, but you can disable their account until they provide proof of rotation. That hurts the relationship. Less than the alternative.
'Resetting passwords is table stakes. Finding where you forgot to reset them is the real game.'
— paraphrase from a forensic lead who watched two recoveries fail on that gap
The Limits: What Credential Hygiene Can't Fix
Zero-day exploits bypass credential checks
Perfect credential hygiene can't stop what never touches credentials. A zero-day exploit — a vulnerability unknown to the vendor, with no patch and no signature — can plant ransomware without ever authenticating. The attacker walks through the window, not the door. I have watched recovery teams scrub every stale password, rotate every domain admin token, and then watch the reinfection happen via a memory-corruption bug in a line-of-business app no one had patched in 18 months. That hurts. The hygiene work was not wasted — it eliminated one attack vector — but the root cause sat outside the credential layer entirely. What usually breaks first in these scenarios is the assumption that credential hygiene is comprehensive security. It's not. It's a prerequisite, not a moat.
Insider threats with valid credentials
The hardest recovery failures to explain to a board involve the employee whose credentials are pristine — rotated monthly, MFA-enabled, no anomalies — and who uses them to exfiltrate data and deploy ransomware. The catch is that credential hygiene only validates identity, not intent. A system administrator with legitimate access to backup repositories can corrupt those copies from inside the console, then trigger the encryption. We fixed this once by separating backup-admin duties into a break-glass role that required two-person authorization for destructive operations. That stopped the insider — but the fix was operational, not credential-based. Hygiene told us the person was who they claimed to be; it could not tell us they had already gone rogue. The trade-off here is uncomfortable: tightening credential controls can increase friction for legitimate users, yet the insider with valid tokens sails right through.
The cost of comprehensive hygiene
There is a hard limit that most recovery plans gloss over: the operational cost of maintaining perfect credential hygiene across thousands of accounts, service principals, and machine-to-machine secrets is prohibitive for all but the most resourced teams. I see organizations that spend 40% of their security operations budget on password rotations, MFA enforcement, and stale-account cleanup — and still miss the one orphaned service account with a never-expiring password hardcoded into a legacy ETL job. The tricky bit is that every dollar and hour spent on hygiene is a dollar not spent on detection engineering, backup air-gapping, or incident response drills. That's a real trade-off, not a theoretical one. Wrong order: teams often over-invest in hygiene first, then discover they lack the ability to detect the ransomware when it inevitably arrives via another route. The honest limit? Hygiene buys you time and reduces surface area — but it can't buy you safety. Budget accordingly.
'We spent six months locking down credentials. The ransomware came in through a forgotten VPN tunnel that used a self-signed certificate from 2019.'
— Incident post-mortem, mid-market manufacturing firm, 2024
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!