Dynamic Objects In Active Directory: The Stealthy Threat
Tenable, Friday, February 20th, 2026
Active Directory's "dynamic objects" feature offers attackers a perfect evasion cloak.
Key takeaways:
The threat: Dynamic objects self-delete without leaving any traces, or 'tombstones' in AD parlance, hindering security teams' post-attack audits. For example, the machine account quota (MAQ) default configuration lets attackers create machine accounts and use them for malicious purposes, but usually attackers cannot delete them afterwards. However, dynamic objects allow attack traces to self-destruct.
The impact: While the dynamic object itself disappears, its footprint remains. The deletion leaves behind confusing "ghost" data, such as unresolved security identifiers (SIDs) in critical access control lists (ACLs), broken group policy object (GPO) links, and stale Entra ID users. These artifacts break logical links and make forensic reconstruction nearly impossible because the source object no longer exists.
The defense: Because post-mortem forensics fail, you must detect the attack while it is active. Security teams must implement near real-time monitoring and alerting for the creation of objects with entryTTL or msDS-Entry-Time-To-Die attributes and correlate them with orphan SIDs to identify the breach before the evidence destroys itself.