TL;DR
Identity is now the primary attack surface in enterprise environments. In 2026, 97% of identity attacks remain password-based (Microsoft MDDR), stolen credentials are the initial access vector in 22% of confirmed breaches (Verizon DBIR 2025), and 6 billion passwords were exfiltrated by malware in 2025 alone. Yet most organizations still run endpoint-centric security programs that are structurally blind to identity-layer compromise. This playbook maps the full identity attack kill chain — from Kerberoasting to DCSync to Golden Ticket — against concrete detection rules, logging requirements, and an actionable hardening checklist built around the ITDR (Identity Threat Detection and Response) discipline. If you implement one security category in 2026, make it identity.
Background: Why Identity Has Overtaken the Endpoint
For years, the security market centered on the endpoint. EDR platforms gave defenders unparalleled visibility into process trees, memory anomalies, and file system activity. The implicit assumption was that the endpoint was the primary battlefield.
That assumption is now structurally wrong.
Modern attack campaigns — Scattered Spider, ALPHV/BlackCat affiliates, Lazarus Group, the Midnight Blizzard (APT29) intrusion into Microsoft's own corporate email — share a common tactical thread: they win in the identity layer, not the endpoint layer. Once a threat actor holds valid credentials or a forged Kerberos ticket, the endpoint doesn't matter. The domain controller hands them the keys.
The 2026 data reinforces this:
- 88% of basic web-application attacks involve stolen credentials (Verizon DBIR).
- 94% of 19 billion leaked passwords are reused or duplicated — credential stuffing is not slowing down.
- Session cookie theft via AiTM (Adversary-in-the-Middle) proxies now bypasses legacy MFA at scale. Tools like Evilginx3 and Tycoon 2FA commoditize this into phishing-kit subscriptions.
- Phishing-resistant MFA (FIDO2/passkeys) stops >99% of identity attacks — yet enterprise adoption hovers near 12%.
The defensive gap between where attacks happen and where most defenses are deployed is a chasm. ITDR is how organizations begin closing it.
The Identity Attack Kill Chain: Six Stages, Six Defensive Windows
Understanding the adversary model is the prerequisite for building detection logic. Identity-based campaigns consistently follow a six-stage progression:
Stage 1: Initial Credential Acquisition
The attacker obtains a valid credential set. Entry vectors include:
- Phishing / AiTM proxy phishing — OTP and session-cookie harvesting via reverse-proxy toolkits (Evilginx3, Modlishka, Tycoon 2FA). The user authenticates to a legitimate-looking page; the proxy relays the session cookie in real time.
- Infostealers — Redline, Lumma, Vidar harvest LSASS memory dumps, browser credential vaults, and Windows Credential Manager. Specops 2026 data shows 6 billion passwords stolen this way last year.
- Credential stuffing — Automated rotation of leaked credentials against M365, Okta, GitHub, and SaaS login pages.
- Password spraying — Low-volume, high-breadth attempts (2-3 guesses per account) against Azure AD / Entra ID to avoid lockout policies. MITRE T1110.003.
Detection window: anomalous authentication geography, impossible travel, single-factor logins from new ASNs, sign-in velocity anomalies in Entra ID Identity Protection.
Stage 2: Reconnaissance Inside the Directory
With a low-privileged account, the attacker maps the domain — user objects, group memberships, SPN-registered service accounts, trust relationships. Tools: BloodHound, SharpHound, ADExplorer, built-in net commands.
MITRE: T1087 (Account Discovery), T1069 (Permission Groups Discovery), T1482 (Domain Trust Discovery).
Detection window: Event 4661 (Object Handle Requests on DS objects), LDAP query volume spikes per user, SharpHound's signature samAccountName enumeration cadence detectable via network protocol inspection.
Stage 3: Credential Material Harvesting
This is where most EDR-only programs break down. The attacker extracts credential material from the domain without touching the endpoint in the traditional sense.
Kerberoasting (T1558.003): Request TGS service tickets for accounts with registered SPNs. Since tickets are encrypted with the service account's NTLM hash, they're crackable offline. The attack generates Windows Event 4769 (Kerberos Service Ticket Operation) with encryption type 0x17 (RC4-HMAC). Detection: alert on 4769 events where TicketEncryptionType = 0x17, especially from non-service account requestors at anomalous volume.
AS-REP Roasting (T1558.004): Accounts with Do not require Kerberos preauthentication send an AS-REP encrypted with the account password. No valid credentials required for the initial request. Detection: Event 4768 with PreAuthType = 0, requested by unusual principals.
Pass-the-Hash (T1550.002): Authenticate to Windows services using the raw NTLM hash without knowing the plaintext. Signature: lateral authentication events originating from hosts that have no business accessing the destination, especially using the NTLM authentication protocol (4624 with LogonType 3 and AuthPackage NTLM).
Pass-the-Ticket (T1550.003): Inject a harvested or forged Kerberos TGT/TGS into the current session. Event 4768/4769 anomalies; watch for tickets with unusual lifetimes or non-standard service names.
DCSync (T1003.006): Simulate domain controller replication to pull NTLM hashes for any account, including krbtgt. Requires DS-Replication-Get-Changes privileges. Detection: Event 4662 with DS-Replication-Get-Changes access mask from a non-DC host. High-fidelity alert — virtually no legitimate reason for a workstation to request DC replication.
Stage 4: Privilege Escalation
From a compromised service account or standard user, the attacker escalates to Domain Admin. Common paths:
- Golden Ticket: Forge a TGT using the
krbtgthash (obtained via DCSync). Valid for ten years by default. Detection: Kerberos tickets with anomalous PAC (Privilege Attribute Certificate) flags, ticket lifetime > 10 hours, or Event 4768 requests where the ticket is from an account that doesn't match the domain's issued-ticket records. - Silver Ticket: Forge a TGS for a specific service using the service account hash. Less powerful than Golden Ticket but harder to detect because it never touches the DC.
- AdminSDHolder abuse: Modify AdminSDHolder container permissions to persist elevated access through the SDProp process cycle (runs every 60 minutes).
- Group Policy Object (GPO) modification: Abuse write permissions on GPOs applied to OUs containing domain controllers.
Stage 5: Lateral Movement and Persistence
With Domain Admin equivalent access, the attacker moves freely. WMI exec (T1047), PsExec (T1569.002), RDP (T1021.001), and WinRM (T1021.006) are the primary mechanisms. Persistence is often established via scheduled tasks, new service creation, or modifications to DSRM account credentials.
Stage 6: Impact
Data exfiltration (often staged to SharePoint or OneDrive before leaving the network), ransomware deployment, or persistent access for intelligence collection.
Technical Analysis: The ITDR Detection Architecture
Addressing identity attacks requires instrumentation that EDR alone doesn't provide. A mature ITDR architecture has four layers:
1. Directory Telemetry (Active Directory / Entra ID)
On-premises AD (Windows Server): Enable verbose Kerberos and authentication auditing. Critical Event IDs:
| Event ID | Description | Relevance |
|----------|-------------|-----------|
| 4624 | Successful logon | LogonType 3 (Network) + NTLM AuthPackage = PtH signal |
| 4625 | Failed logon | Password spray baseline |
| 4662 | Object access | DCSync if DsReplication access mask |
| 4768 | Kerberos TGT request | AS-REP Roasting, Golden Ticket anomalies |
| 4769 | Kerberos TGS request | Kerberoasting (enc type 0x17) |
| 4771 | Kerberos pre-auth failure | Password spraying |
| 4776 | NTLM authentication attempt | PtH baseline |
| 5136 | Directory object modification | AdminSDHolder, GPO changes |
Entra ID (Azure AD): Microsoft's Identity Protection produces risk signals (leaked credentials, impossible travel, atypical travel, anonymous IP, malware-linked IP). Export these via Diagnostic Settings to Sentinel or your SIEM. Critical signals: riskyUsers, riskDetections, signInLogs with riskEventType populated.
2. Network / Protocol Analysis
DNS and SMB traffic reveal lateral movement before endpoint telemetry does. SMB IPC$ connections from workstations to workstations (not servers) indicate PsExec-style lateral movement. LDAP query volume per source IP is the fastest indicator of BloodHound-style recon — a single workstation generating thousands of LDAP binds in minutes has a near-zero legitimate explanation.
3. Behavioral Baselining (UEBA)
Effective ITDR platforms (Vectra AI, Silverfort, CrowdStrike Falcon Identity, Microsoft Defender for Identity) continuously model per-user and per-service-account baselines:
- Typical working hours and geography
- Normal authentication targets (which servers/services a user typically accesses)
- Access pattern stability (does the user access 3 servers per day or 300?)
Deviations from baseline generate risk scores, not flat alerts. This is the critical architectural difference between ITDR and simple SIEM rules: context replaces noise.
4. EDR + ITDR Correlation
The most powerful detection occurs when endpoint and identity telemetry are joined. Example: a LSASS memory read (EDR alert) on Host A, followed by a lateral authentication event (ITDR) from Host A to a domain controller five minutes later. Neither alert alone is necessarily high confidence. The correlated sequence is a confirmed incident.
This is what platforms like Huntress's unified EDR+ITDR are operationalizing in 2026: the full attack path visible in a single pane, not scattered across two disconnected dashboards.
IOCs and Indicators of Compromise (Identity-Specific)
These are not file hashes. Identity IOCs are behavioral:
TicketEncryptionType = 0x17in Event 4769 — Kerberoasting in progress- Event 4662 with access mask
0x100(DS-Replication-Get-Changes) from non-DC source — DCSync - Kerberos ticket
Lifetime > 600 minutesorRenewTill > 7 days— Golden Ticket forgery - Event 4624
LogonType 9(NewCredentials) from unusual source — Over-Pass-The-Hash - LDAP binds >500 in <60s from workstation object — BloodHound recon
AdminCountattribute set on accounts not in protected groups — AdminSDHolder persistence- Service accounts authenticating interactively (LogonType 2) — credential compromise of service account
krbtgtpassword unchanged for >180 days — Golden Ticket persistence risk- Entra ID
signInRiskLevel = highwith MFA bypass via legacy auth protocol — AiTM session hijack
The Lyrie Take
The security industry's framing of ITDR as a "new category" to buy understates its urgency. Identity compromise isn't an advanced persistent threat tactic anymore — it is the standard initial playbook for ransomware affiliates, nation-state operators, and commodity cybercriminals alike. The reason: it's the most effective path to domain-wide access with the least chance of triggering a traditional AV or EDR alert.
What we observe at Lyrie is that most organizations sit in one of two failure modes:
Failure mode A — The Logging Gap. Domain controllers have audit policies configured for the bare minimum. Events 4769 and 4662 aren't even reaching the SIEM. The organization has no structural ability to detect Kerberoasting or DCSync. They're not blind; they have no eyes.
Failure mode B — The Alert Tsunami. Organizations that do enable verbose DC logging without UEBA-backed baselining receive thousands of noisy authentication events per hour, analyst fatigue sets in, and the meaningful signal (a single DCSync event) is buried under compliance-driven noise. The attacker has 48+ hours of free lateral movement before a human investigates.
The solution is not simply "buy an ITDR tool." It is architectural: instrument first, baseline before alerting, correlate across domains, and build runbooks that match the identity kill chain stages above. ITDR tooling accelerates this, but the underlying telemetry hygiene and detection logic must be owned by the security team — not outsourced to vendor defaults.
The organizations hardest hit by identity-layer attacks in 2025-2026 were not the ones with no defenses. They were the ones with legacy defenses — SIEM rules written in 2018 against a threat model that assumed attackers needed to touch the filesystem.
They don't. They need your krbtgt hash. Everything else is optional.
Defender Playbook: 14 Prioritized Controls
Implement in order of effort-to-impact ratio:
Immediate (0-7 days)
1. Rotate krbtgt twice. A single rotation leaves old tickets valid; double rotation invalidates all outstanding TGTs. Schedule quarterly rotations. This eliminates any existing Golden Ticket. MITRE mitigation M1026.
2. Disable RC4 Kerberos encryption (force AES256). Set msDS-SupportedEncryptionTypes to 24 (AES128 + AES256) domain-wide. Kerberoasting against AES256 service tickets is computationally infeasible with current hardware. This single control reduces Kerberoasting risk by ~95%.
3. Enable audit policies for Events 4662, 4768, 4769 on all DCs. Verify with auditpol /get /category:* on every domain controller. If 4662 isn't generating events, DCSync is invisible to you.
4. Block legacy authentication protocols in Entra ID. Conditional Access policy: block any sign-in using Exchange ActiveSync or Other Clients authentication (ADAL-legacy, SMTP AUTH, IMAP). Legacy auth bypasses MFA entirely.
5. Enable Entra ID Identity Protection and connect to SIEM. Set risk policy: require MFA for medium risk, block access for high risk. Route riskDetections logs to your detection platform.
Short-term (7-30 days)
6. Audit accounts with Do not require Kerberos preauthentication (AS-REP Roasting exposure). PowerShell: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}. Remove the flag unless operationally required.
7. Identify all SPN-registered service accounts. PowerShell: Get-ADUser -Filter {ServicePrincipalNames -like "*"} -Properties ServicePrincipalName. For each: is the account using AES? Is the password strong (>30 chars machine-generated)? Is Managed Service Account (gMSA) possible? Migrate to gMSA where feasible — gMSA passwords rotate automatically every 30 days.
8. Enumerate DS-Replication-Get-Changes permissions. Only domain controllers and approved SIEM/ITDR service accounts should hold this. PowerShell via dsacls "DC=domain,DC=com" or BloodHound's Replication Rights edge detection.
9. Implement privileged access workstations (PAWs) for DA-level accounts. Domain Admins should only authenticate from hardened, network-isolated workstations. LSASS credential exposure on standard workstations is the most common path to PtH/PtT.
10. Deploy Microsoft Defender for Identity (MDI) or equivalent. MDI installs a sensor on every DC that reads real-time Kerberos traffic and generates alerts for Kerberoasting, DCSync, Golden Ticket usage, and recon patterns. If on-premises SIEM integration is the bottleneck, MDI to Sentinel is a fully managed pipeline.
Medium-term (30-90 days)
11. Implement tiered Active Directory model. Tier 0 = Domain Controllers and AD admin accounts. Tier 1 = server admins. Tier 2 = workstation admins. No downward credential flow: Tier 0 admins never authenticate to Tier 1 or Tier 2 assets.
12. Deploy FIDO2 / phishing-resistant MFA for all privileged accounts. Passkeys eliminate the AiTM cookie-theft attack surface entirely. Rollout priority: Global Admins → Security Admins → Exchange Admins → service desk with break-glass capabilities.
13. Build SIEM correlation rules for the identity kill chain. Minimum rule set:
- Kerberoasting: Event 4769, enc_type=0x17, count > 20 in 10 min from same source
- DCSync: Event 4662, access_mask includes 0x100, source not in DC OU
- Lateral movement: Event 4624 LogonType 3 NTLM, from workstation to workstation
- Golden Ticket anomaly: TGT lifetime > 10h or PAC anomaly flag
- AS-REP Roast: Event 4768 PreAuthType=0
14. Run quarterly purple-team exercises against identity kill chain. Use BloodHound to identify shortest paths to Domain Admin, attempt Kerberoasting against your own environment, verify your detection rules fire, measure mean-time-to-detect (MTTD). Iterate.
Sources
1. Verizon 2025 Data Breach Investigations Report — credential involvement statistics
2. Microsoft Digital Defense Report 2025 — identity attack composition, MFA efficacy
3. Specops 2026 Breached Password Report — 6 billion infostealer-harvested credentials
4. Huntress: "Unified EDR + ITDR: Closing the Identity Gap Before Attacks Spread" (May 2026)
5. Splunk Security Research: Kerberoasting Detection Rule (Event 4769, RC4) — updated April 2026
6. MITRE ATT&CK v16: T1558 (Steal or Forge Kerberos Tickets), T1550 (Use Alternate Authentication Material), T1003 (OS Credential Dumping)
7. CrowdStrike Adversary Intelligence: Scattered Spider identity attack TTPs
8. Microsoft Defender for Identity documentation: DCSync alert logic and PAC validation
9. Axis Intelligence: Data Breach Statistics 2026 — credential compromise as initial access vector
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.