According to Kerberos Researchers at Aorato, a disabled account in Windows’ network does not take effect immediately.
In fact, due to design considerations disabled accounts – and the same goes for deleted, expired and locked-out accounts – effectively remain valid up to 10 hours after they had supposedly been revoked.
The consequence? So-called disabled accounts expose the corporation to advanced attackers seeking to gain access to the corporate network. Unfortunately, traditional security measures, such as logs and SIEM products – which we rely upon to alert on such misuse – do not have the proper visibility to contain this type of threat.
Aorato named these supposedly “dead” (i.e. deleted/disabled) users who are actually still very much alive as “Zombie Users”.
According to Aorato, “Zombie Users” pose a very prevalent threat for the security of the enterprise. In the current employment market, many companies suffer from a very high employee turnover rate. In fact, in some Fortune 500 companies the median employee tenure is less than a year, which means that half of their workforce is replaced within a year’s time. All of these leaving employees must have their user account disabled and therefore each of them is a potential Zombie User. Combining this stat with the fact that 95% of Fortune 1000 companies use Windows’ based networks, yields a very ample attack surface for Zombie Users.
Read More at: