In 2025, during a real engagement in California, we came across a surprising situation: old accounts in Active Directory that had been disabled were brought back to life. We called it The Walking Dead of Active Directory.

In this talk, we’ll show how we were able to re-enable these accounts and what that means from an attacker's perspective. We’ll also look into how the Active Directory Recycle Bin (ADRB) can be abused to restore disabled/deleted accounts and objects, giving attackers a way to silently bring back access without triggering alerts.

If you think old accounts are gone for good, think again. This session will show you why it's important to monitor and secure every part of AD, even the trash bin.