Identity Threat Detection and Response (ITDR): Detecting and Defending Against Identity Attacks

Ninety percent of all advanced persistent threats exploit compromised identities. Not malware, not exploits—identities. Attackers steal credentials, escalate privileges, move laterally through Active Directory, and persist in the environment—for months, undetected. Identity Threat Detection and Response (ITDR) is the answer to this reality.

Why Identity Attacks Are So Hard to Detect

The Fundamental Problem

Legitimate activity and attacker activity look identical to SIEM systems:

Legitimate Activity:

• IT admin logs in → reads AD objects → changes group policies
• Security scanner performs LDAP query → checks user attributes
• Service account accesses database → sends Kerberos ticket

Attacker activity (looks identical):

• Compromised admin account logs in → reads AD (recon!)
• Pass-the-hash: Kerberos ticket with stolen NTLM hashes
• DCSync: DRSUAPI call to read all password hashes (looks like replication!)
• Golden Ticket: Valid Kerberos ticket with forged PAC

SIEM Gaps in Identity Attacks

• Too many legitimate Kerberos requests → threshold too high
• LDAP queries from admins are normal → Reconnaissance not detected
• DCSync originates from DC accounts → classified as replication by SIEM
• Pass-the-Hash: valid ticket, no malware IOC

> Identity attacks often produce no classic malware indicators!

The most important identity attack techniques

Golden Ticket (T1558.001)

• Prerequisite: KRBTGT hash (from DCSync or ntds.dit)
• Attack: Self-signed Kerberos TGT with arbitrary PAC values
• Effect: Access as any user, including Domain Admin, valid for 10+ years!
• Identifying characteristics:
  • TGT lifetime > 10 hours (default value!)
  • TGT attribute values do not match the user object in AD
  • KDC event 4769 without preceding 4768

Silver Ticket (T1558.002)

• Prerequisite: Service account NTLM hash (e.g., MSSQL service)
• Attack: Forged Kerberos service ticket for this service
• Effect: Direct access to the service without KDC involvement!
• Identifying characteristics:
  • Service events without a preceding KDC-4769
  • Ticket encryption type: RC4 (instead of AES256)

DCSync (T1003.006)

• Prerequisite: Replication rights (DA/DC or stolen)
• Attack: DS-Replication-Get-Changes-All DRSUAPI calls
• Effect: All password hashes from AD, including KRBTGT!
• Detection criteria:
  • Event 4662 with DRSUAPI property GUIDs
  • From a non-DC source (DCs only replicate among themselves!)
  • Mimikatz signature on the network (DRSUAPI calls from the workstation)

Pass-the-Hash / Pass-the-Ticket (T1550)

• Pass-the-Hash: NTLM hash instead of password for authentication
• Pass-the-Ticket: Stolen Kerberos ticket for lateral movement
• Detection criteria:
  • Authentication from host without prior credential entry
  • NTLM authentication despite Kerberos policy
  • Event 4624 Logon Type 9 (NewCredentials) + 4648 (Explicit Credentials)

Kerberoasting (T1558.003)

• Attack: SPN accounts (Service Principal Names) → Request TGS → Crack TGS offline (no password errors in the log!)
• Detection criteria:
  • Many TGS requests (4769) with RC4 encryption
  • Requests for SPNs at unusual times
  • Account that has never interacted before → requests many SPNs

MFA bypass - Adversary-in-the-Middle (AiTM)

• Attack: Evilginx, Modlishka, Muraena as proxy → Phishing site proxied legitimate login (including MFA!) → Session cookie stolen (POST-MFA!)
• Detection criteria:
  • Impossible Travel: Login from Germany + immediately to the USA
  • Unknown device/browser fingerprint after login
  • Token replay from a different IP than the original login

ITDR Solution Approaches

Category 1 - Active Directory-focused

Microsoft Defender for Identity (MDI)

• Formerly: Azure ATP (Advanced Threat Protection)
• Deployment: Sensor on DCs (Domain Controllers)
• Analyzes AD DS traffic + event logs in real time
• Detects: DCSync, Kerberoasting, Golden Ticket, Password Spraying
• ATT&CK Coverage: ~40+ identity-specific techniques
• Integration: Microsoft Sentinel, Defender for Endpoint
• Cost: Included in Microsoft 365 E5 / Defender for Endpoint Plan 2

CrowdStrike Falcon Identity

• Agent-based on DCs + workstations
• Real-time prevention (not just detection!)
• Prevents pass-the-hash BEFORE authentication occurs
• Identity Behavior Graph: Baseline of normal user activity

Vectra AI (Detect for Active Directory)

• ML-based anomaly detection in AD traffic
• No signatures, only behavioral baselines
• Suitable for hybrid AD + Azure AD environments

Category 2 - Identity Infrastructure Protection

Silverfort

• Agentless MFA for every resource (including legacy systems!)
• Protects service accounts (that lack standard MFA)
• Risk-based authentication rules
• Identity Firewall: blocks lateral movement based on identity risk

Illusive Networks

• Identity Risk Assessment: which service accounts have too many privileges?
• Deception component: fake credentials on endpoints
• If a fake admin account is used → immediate alert!

Category 3 - Integrated Platforms

Microsoft Entra ID Protection

• Risk-based conditional access
• User risk + sign-in risk based on ML scoring
• Enforces MFA/password reset for risky logins

SailPoint IdentityIQ + ITDR

• IGA (Identity Governance) + ITDR combined
• Access certification + anomaly detection
• Continuous least privilege enforcement

Prioritize Detection Use Cases

CRITICAL (immediate alert → manual investigation)

1. DCSync detection (KQL - Microsoft Sentinel / Defender):

SecurityEvent
| where EventID == 4662
| where Properties contains "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"  // DS-Replication-Get-Changes-All
| where SubjectUserName !endswith "$"  // Not from DC computer account
| project TimeGenerated, SubjectUserName, IpAddress, Computer

2. Kerberoasting Detection:

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"  // RC4 instead of AES!
| where TargetUserName !endswith "$"
| where ServiceName !startswith "krbtgt"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), IpAddress
| where RequestCount > 10  // >10 TGS in 1h → Kerberoasting!

3. Golden Ticket (Long Lifetime):

SecurityEvent
| where EventID == 4769
| extend TicketOptions = extract(@"Ticket Options:\s+0x(\w+)", 1, EventData)
| where TicketOptions == "40810010"  // Forwarded + Renewable
| where TicketEndTime - TicketStartTime > 10h  // >10h Lifetime

4. Impossible Travel:

AADSignInEventsBeta  // Microsoft 365 Defender
| summarize Locations = make_set(Location),
            IPs = make_set(IPAddress) by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Locations) > 1
// Manual review: Germany + USA in 1 hour?

HIGH (Alert with automated response)

5. Pass-the-Hash Indicators:

SecurityEvent
| where EventID == 4624
| where LogonType == 9  // NewCredentials (PtH indicator!)
| where AuthenticationPackageName == "NTLM"

6. New Admin Group Membership:

SecurityEvent
| where EventID == 4728  // User added to security group
| where TargetUserName in ("Domain Admins", "Enterprise Admins", "Schema Admins")
// Immediate alert for every change to these groups!

Countermeasures and Hardening

IMMEDIATELY

1. Tiered Administration Model

• Tier 0: DCs, PKI, Federation (Tier-0 admins ONLY!)
• Tier 1: Server administration
• Tier 2: Workstation administration
• No Tier 0 admin logs in to Tier 1/2 systems!
• Authentication Policy Silos + Kerberos Armoring

2. Rotate KRBTGT password

• Every 6–12 months (or after compromise)
• Rotate twice! (Kerberos interoperability: old password cached)
• Invalidates all Golden Tickets!

3. Enforce Kerberos AES-only > Group Policy: Network Security → Kerberos Encryption Types → Disable RC4 → Makes Kerberos cracking more difficult (AES hashes are slower to crack!)

4. Protected Users Security Group

• Add DAs and EAs to the Protected Users group!
• Prevents: NTLM authentication, RC4 Kerberos, credential caching
• Kerberos tickets valid for max. 4 hours

5. Service Account Hardening

• Managed Service Accounts (MSA/gMSA) instead of regular accounts
• MSA: automatic password rotation, no interactive login
• LAPS for local admin passwords (each workstation individually!)
• Kerberoasting: Move SPNs to gMSAs (very long passwords = uncrackable)

MEDIUM TERM

6. Privileged Identity Management (PIM)

• Just-in-time admin access: Rights only when necessary, time-limited
• Azure AD PIM / CyberArk / BeyondTrust
• Every DA activation → Approval + ticket number required

7. Conditional Access with Identity Risk

• User Risk Policy: High → Force password reset
• Sign-In Risk: Medium → Force MFA
• Compliant Device: Only managed devices with Entra-Join

8. Credential Hygiene

• Have I Been Pwned integration: Block compromised passwords
• LAPS v2: Windows LAPS (integrated into Windows Server 2022/Windows 11)
• Prevent pass-the-hash attacks: Credential Guard (Hyper-V-based)
• Enable Windows Defender Credential Guard GPO!

---

Identity attacks are the most common and dangerous attack vector in modern enterprise networks. ITDR bridges the gap between traditional SIEM tools and the realities of modern identity attacks. AWARE7 supports the implementation and evaluation of ITDR solutions as part of red team engagements and security architecture reviews.

Request an ITDR Assessment | Active Directory Penetration Test