Microsoft’s built-in password rotation mechanism is designed to protect on-premises Non-Human Identities (NHIs), such as machine accounts in Active Directory (AD). On the surface, it appears to be a strong defense—automated, scheduled, and structured to minimize security risks. This safeguard, however, can be subverted—allowing attackers to create a persistent foothold.
An adversary can manipulate the rotation process across an entire environment or a specific machine account through a Man-in-the-Middle (MITM) attack. Attackers may also bypass the process entirely by compromising machine account passwords and changing them directly, thereby hijacking the rotation mechanism without interfering with network traffic.
By either manipulating time synchronization or directly modifying passwords, attackers can disrupt or take control of the password rotation process. Time manipulation prevents scheduled rotations, while direct modification grants control over specific accounts—both enabling long-term persistence and evading detection.
Security controls of on-premises NHIs
Service accounts are non-human identities used to run applications, services, and automated tasks in an on-prem AD environment. These accounts often use static passwords that never change, posing significant security risks. Once compromised, attackers can use these credentials for:
- Theft & Lateral Movement: Utilizing the account’s privileges to move laterally.
- Privilege Escalation: Gaining administrative access through elevated privileges.
- Long-Term Persistence: Maintaining access without detection or expiration.
To mitigate such risks, password rotation ensures that account credentials change periodically. There are two primary types of accounts implementing password rotation:
- Machine Accounts: Represent domain-joined computers; password changes are managed by the local operating system.
- Managed Service Accounts (MSAs): Designed for services and applications; password rotation is enforced by the Domain Controller (DC).
| Account type | Purpose | Who manages rotation? |
| Machine accounts | Computer authentication within the domain | Local operation system |
| Standalone MSAs | Single-server application authentication | Domain Controller (DC) |
| Group MSAs (gMSAs) | Shared across multiple machines | Domain Controller (DC) |
| Delegated MSAs | Extension of gMSAs with delegated admin control | Domain Controller (DC) |
Understanding these differences is critical, as attackers exploit rotation mechanisms differently per account type. For instance, machine accounts can be hijacked via RPC methods such as MS-SAMR, while MSAs require manipulation of the DC rotation process.
Attack vector 1: Disabling machine account password rotation
In Active Directory, machine account password rotation is the responsibility of the client system, typically a domain-joined Windows host. The local operating system automatically rotates its machine account password every 30 days by default. To do so, it remotely communicates with the Domain Controller (DC) using the Security Account Manager Remote Protocol (MS-SAMR) over RPC.
This protocol provides a set of administrative operations for managing user and computer accounts in Active Directory. One of the key functions used by the client to perform remote password updates is hSamrUnicodeChangePasswordUser2, which enables the authenticated client to change the password associated with its machine account in the directory.
Mechanics of the attack
However, this mechanism can be hijacked. Once an attacker gains access to the machine account, they can use MS-SAMR and specifically invoke hSamrUnicodeChangePasswordUser2 to directly modify the account password in Active Directory, without notifying or involving the original client. This severs the synchronization between the domain-joined machine and the DC, resulting in a one-sided trust relationship where the attacker controls the credentials and the legitimate host is locked out.
This breaks the trust between the machine and the DC. Each stores a copy of the password, and unauthorized modification leads to a mismatch. The AD object remains valid indefinitely, ensuring persistent access.
Once rotation is disabled, the account remains valid, even though no further password changes occur. The broken trust leaves the compromised machine unusable.
Manipulating password rotation with time attacks
To improve service credential security, Microsoft introduced standalone MSAs in Windows Server 2008 R2. MSAs rely on the DC for password management, but this centralization introduces new attack vectors.
By manipulating system time on either the DC or service host, attackers can delay scheduled password changes. Since AD relies on timestamps, rolling the clock backwards postpones rotation and maintains access.
How time affects password rotation
Active Directory uses the PwdLastSet attribute to determine when an account’s credentials were last rotated. This timestamp is critical for enforcing password expiration policies. Accurate time synchronization is vital for AD operations, including password policies and Kerberos authentication.
The role of NTP in time synchronization
Enterprises typically rely on external NTP for time accuracy. Windows uses NTP version 3 by default, which lacks message integrity protections.
Windows time synchronization (w32tm) overview
The Windows Time Service (w32tm) synchronizes domain time. In this case, the Domain Controller has two roles:
- Acts as a time server, distributing time to domain members.
- Syncs with external NTP servers as a time client.
Key security parameters include:
- MaxPosPhaseCorrection and MaxAllowedPhaseOffset: Max time adjustments allowed per sync.
- Secure Time Seeding (STS): Uses TLS timestamps for tampering detection but is limited, especially post-TLS 1.3.
Disrupting password rotation via domain time manipulation
MITM attacks between the DC and NTP source can gradually shift the DC’s time without detection. w32tm allows up to 48 hours of correction per sync, updated every 64 seconds.
Attack vector 2: Time manipulation of MSA password rotation
The attacker first manipulates the DC’s clock and then triggers password rotation through one of the following methods:
- Direct Request: A user or a service with privileges over the Managed Service Account.
- Natural Trigger: Allowing the Managed Service Account to reauthenticate naturally.
When credentials are rotated while the system time is artificially set ahead, the PwdLastSet reflects that future timestamp. Reverting the clock back effectively delays the next scheduled rotation, bypassing enforcement.
Key advantage
All domain members synchronize with the DC, maintaining Kerberos authentication and minimizing detection. This synchronization masks the time manipulation from endpoint systems, ensuring stealth and continuity of service.
Consequences of the attack
These attacks can lead to long-term persistence within the environment by bypassing expiration controls via timestamp manipulation. Once an attacker rotates credentials with an altered time setting, subsequent rollbacks prevent further rotations, effectively nullifying security enforcement. The compromised account continues to function with a valid token, undetected.
In addition to persistence, such time-based manipulation allows for evasion of password policies and potential privilege escalation. The rollback of system clocks may also lead to intermittent service failures and authentication issues, creating operational disruption and making detection more difficult.
Mitigation strategies
Organizations should implement secure time synchronization using authenticated NTP protocols such as NTPv4, which supports message integrity and authentication. Monitoring critical event logs can also help detect unusual behavior: Event ID 4616 (indicating time changes) and Event ID 4742 (indicating password changes for computer accounts) are particularly relevant.
Additionally, implement monitoring for abnormal PwdLastSet patterns across service and machine accounts. These indicators can reveal attempts to manipulate rotation schedules or maintain stealth access. With these measures in place, the risk of stealthy, time-based attacks can be significantly reduced.