Semperis Announces Midnight in the War Room: A Groundbreaking Cyberwar Documentary Featuring the World’s Leading Defenders and Reformed Hackers
Defend against identity-based threats

Identity Threat Catalog

Learn about common identity threats, how to detect them, and how to defend your AD environment against attack.

What are the most common types of identity-based attacks?

Cybersecurity agencies from the Five Eyes alliance, including CISA and the NSA, have urged organizations to strengthen security around Microsoft Active Directory (AD), a prime target for cyber attackers. Due to its widespread use and complexity, AD is especially vulnerable to cyber threats—especially the identity-based attacks and tactics discussed here.

AdminSDHolder Modification

AdminSDHolder modification is a technique attackers use to maintain control over high-privileged accounts in Active Directory. By changing special security settings that are applied to these accounts, attackers can prevent admins from removing their access.

AS-REP Roasting

AS-REP Roasting is a method attackers use to steal passwords in a system by requesting encrypted login information that’s easier to crack. This tactic targets accounts that don’t require extra security checks when logging in.

DCShadow

DCShadow is an attack technique that enables attackers to register a rogue domain controller in Active Directory. The attackers can then make unauthorized changes directly to the AD database while avoiding detection.

DCSync

In a DCSync attack, attackers use specific permissions to trick a domain controller into sharing password hashes and other sensitive data from Active Directory.

Golden SAML/Silver SAML

A Golden SAML attack is a technique in which an attacker forges SAML authentication responses to gain unauthorized access to applications—often with high privileges—without needing legitimate credentials or direct interaction with the identity provider. In a Silver SAML attack, threat actors forge SAML authentication responses from a cloud identity provider like Microsoft Entra ID, allowing unauthorized access to applications that trust that provider, even without user credentials or multi-factor authentication.

Golden Ticket

In a Golden Ticket attack, an attacker gains control of a key encryption component (the KRBTGT account) in a Windows domain, enabling the attacker to create valid Kerberos tickets. With these forged tickets, the attacker can impersonate any user, including Domain Admins, and gain unlimited access to the entire domain for an extended period.

Golden gMSA

In a Golden gMSA attack, threat actors dump KDS root key attributes to generate and exploit the passwords of Group Managed Service Accounts (gMSAs), which are used to run services with managed credentials.

Kerberoasting

Kerberoasting is an attack in which attackers request service tickets for accounts that run services in a Windows domain. These tickets are encrypted with the service account’s password hash, and attackers can then attempt to crack the hash offline to retrieve the service account’s password.

LDAP Reconnaissance

LDAP reconnaissance is a technique used by attackers to query the LDAP protocol to gather information about users, groups, computers, and permissions within an Active Directory environment.

NTDS.dit Extraction

When attackers copy the NTDS.dit file, they are stealing the Active Directory database, which contains all the user account information, including password hashes. With this file, attackers can extract sensitive data—such as passwords for all accounts in the domain.

Pass the Hash

In a Pass the Hash attack, threat actors use a stolen password hash to authenticate and access systems as the compromised user.

Pass the Ticket

In a Pass the Ticket attack, threat actors use a stolen Kerberos ticket to authenticate as a user without needing their password.

Password Spraying

In a Password Spraying attack, attackers try common passwords across many accounts rather than focusing on one account. This tactic reduces the likelihood of account lockouts as threat actors attempt to gain access and escalate their privileges.

Plaintext Password Extraction/GPP Abuse

Group Policy Preferences (GPP) abuse is a prime example of plaintext password extraction. In older versions of GPP, administrators could configure local accounts or services with passwords, which were stored in XML files, from which they could be decoded fairly easily. Additionally, passwords that were set in GPP could apply across multiple member servers and workstations.

Silver Ticket

A Silver Ticket attack occurs when attackers forge Kerberos service tickets for specific services, like file shares or web applications, after compromising the service account’s credentials.

Zerologon Exploit

Zerologon is a critical vulnerability (CVE-2020-1472) in the Netlogon authentication protocol that enables attackers to impersonate any computer, including a domain controller.

More threat insights

Semperis identity security experts help you stay vigilant about identity-based attacks.

A New App Consent Attack: Hidden Consent Grant

A New App Consent Attack: Hidden Consent Grant

  • Blog
How to Defend Against a Pass the Ticket Attack: AD Security 101

How to Defend Against a Pass the Ticket Attack: AD Security 101

  • Blog
How to Defend Against an NTLM Relay Attack

How to Defend Against an NTLM Relay Attack

  • Blog
How to Defend Against an Overpass the Hash Attack

How to Defend Against an Overpass the Hash Attack

  • Blog
Read on

Audit your environment for identity threats

Purple Knight

Forest Druid

Forest Druid

Risk Assessment

AD Security Assessment

Entra ID Security Assessment