Identity Attack Surface
Status: Final
The identity attack surface spans every system that authenticates principals, stores credentials, issues tokens, enforces authorization, or federates trust. Unlike the network perimeter — which has a clear edge — the identity surface is distributed, protocol-specific, and deeply environment-dependent. A misconfigured ADCS template, a forgotten service account, an OAuth app with excessive delegated permissions, and an NTLM relay opportunity are all on the same surface.
This page is a reference taxonomy. Use it to scope what you are protecting, what an attacker is targeting, and where detection coverage needs to exist.
1. Credential Stores
Credentials at rest. These are the primary targets of any credential access campaign.
| Store | Location | Attack | Detection Signal |
|---|---|---|---|
| NT hashes | NTDS.dit (DC), SAM (local) | DCSync, volume shadow copy, SAM dump | Event 4662 (DCSync), VSS creation |
| NTLM hashes in memory | LSASS process | Mimikatz sekurlsa::logonpasswords, pypykatz | Sysmon Event 10 (LSASS access), Event 4611 |
| Kerberos TGT cache | LSASS memory | Pass-the-Ticket, Rubeus dump | Event 4648, abnormal klist usage |
| Kerberos ccache (Linux) | /tmp/krb5cc_*, SSSD KCM | ccache theft, keytab abuse | auditd file access, PAM logs |
| Keytab files | /etc/krb5.keytab, service dirs | kinit -k with stolen keytab | auditd file read on keytab |
| DPAPI master key / blob | %APPDATA%\Microsoft\Protect | DPAPI offline decrypt (Mimikatz dpapi::) | Unusual DPAPI API calls (Sysmon) |
| LSA secrets | Registry (HKLM\SECURITY) | Secretsdump LSA, reg save | Event 4656 on SAM/SECURITY hive |
| Browser credentials | Chrome/Firefox profile dir | Infostealers (RedLine, Vidar, Raccoon) | Unusual process accessing profile dir |
| Cloud secrets / API keys | AWS Secrets Manager, Azure Key Vault, GCP Secret Manager | SSRF → IMDS token → secrets API | CloudTrail GetSecretValue, vault audit log |
.env / config files | Application filesystem | Credential harvesting in compromised env | File access anomaly |
| CI/CD secrets | GitHub Actions secrets, GitLab CI variables, Jenkins credentials | Runner compromise, secret exfil | SCM audit logs, unusual clone/export |
Priority for Defense
The highest-value credential stores in most enterprises, in order of attacker impact:
- NTDS.dit — full domain compromise in one extraction
- LSASS memory — live credential cache, all logged-in users
- ADCS CA private key — forge certificates for any principal
- ADFS / Entra ID signing key — forge SAML/OIDC tokens for any user
- Cloud IAM long-term keys — persistent, often unmonitored access
2. Authentication Protocol Attack Surface
Weaknesses inherent in or introduced by misconfiguration of the protocols themselves.
Kerberos
| Weakness | Exploit | Requirement |
|---|---|---|
| SPN on user account | Kerberoasting — request service ticket, crack hash offline | Any domain user |
DONT_REQ_PREAUTH flag | AS-REP Roasting — get TGT blob without knowing password | Know the username |
krbtgt hash compromise | Golden Ticket — forge any TGT, arbitrary PAC | DA or DCSync access |
| Service account hash | Silver Ticket — forge service ticket for specific SPN | Service account's NTLM hash |
| Unconstrained delegation | TGT theft from incoming authentications | Compromise server with TrustedForDelegation=True |
| Constrained delegation (KCD) | Impersonate users to target services | Compromise service with delegation configured |
| Resource-based constrained delegation (RBCD) | Abuse msDS-AllowedToActOnBehalfOfOtherIdentity | Write access to target computer object |
| PKINIT (certificate auth) | ESC1-ESC8 certificate abuse, certificate theft | See PKI section |
NTLM
| Weakness | Exploit | Requirement |
|---|---|---|
| Challenge-response over network | NTLM relay (ntlmrelayx) → code execution / cert request | No SMB signing, or SMB signing not enforced |
| NTLMv1 enabled | Downgrade + crack or pass NTLMv1 hash | LAN Manager compat level ≤ 2 |
| Hash equivalence | Pass-the-Hash — use NT hash directly for auth | NTLM hash of target account |
| LLMNR/NBT-NS poisoning | Responder — capture Net-NTLMv2 challenge | Same network segment, poisoning not blocked |
| NTLM coercion | PetitPotam, PrinterBug, DFSCoerce — force machine to authenticate to attacker | Write access or unauthenticated depending on variant |
OAuth 2.0
| Weakness | Exploit | Flow |
|---|---|---|
| Device Authorization Grant (RFC 8628) | Device code phishing — attacker initiates flow, victim authenticates | No credentials captured; MFA satisfied by victim |
| Refresh token longevity | Token theft → 90-day+ persistence after password reset | Steal refresh token from browser, memory, or endpoint |
| Implicit grant (deprecated) | Token in URL fragment — leaked to referrer, logs | Legacy apps |
| Overly broad delegated permissions | Illicit consent grant — malicious app with wide scopes | Victim approves OAuth consent |
| Client secret / certificate leakage | App-level credential theft → client credentials flow | Access to client secret or cert |
SAML 2.0
| Weakness | Exploit |
|---|---|
| IdP signing key theft | Golden SAML — forge assertions for any user in any SP |
| IdP-initiated flow (no request binding) | Inject forged assertion without valid SP-initiated request |
SP does not validate Recipient / InResponseTo | Assertion replay across SPs |
| XML signature wrapping | Modify assertion content while keeping valid signature over different element |
OIDC / JWT
| Weakness | Exploit |
|---|---|
Weak aud validation | Token accepted by wrong service |
Weak iss validation | Token from untrusted issuer accepted |
alg:none accepted | Remove signature entirely |
| OIDC federation misconfiguration | Workload identity token used to impersonate unexpected subject |
3. Identity Provider (IDP) Attack Surface
The IDP is the highest-value target because compromising it compromises everything that trusts it.
Active Directory
| Attack Path | Primitive | Impact |
|---|---|---|
| DCSync | Abuse DS-Replication-Get-Changes rights | Dump all hashes |
| ACL abuse | WriteDACL, GenericWrite, ForceChangePassword on any object | Privilege escalation, account takeover |
| AdminSDHolder | Writable DACL on AdminSDHolder object → propagates to all protected accounts | Backdoor on all DA equivalents |
| GPO abuse | Write access to GPO or OU → deploy malicious policy | Code execution across all linked machines |
| ADCS template abuse | ESC1–ESC8 | See PKI section |
| Replication coercion | PetitPotam / PrinterBug → NTLM relay to ADCS → DC machine account cert | Full domain compromise from network position |
| Schema/forest modification | Enterprise Admin access | Persistent backdoors at forest level |
Entra ID (Azure AD)
| Attack Path | Primitive | Impact |
|---|---|---|
| Global Administrator compromise | Highest cloud role | Full tenant control |
| Privileged Role Administrator | Can assign any role (including Global Admin) | Escalate to Global Admin |
| Application Administrator | Register apps, add credentials to existing apps | Abuse app permissions |
| PIM activation without approval | Eligible GA → active GA | If activation requires no approval + no MFA |
| Service principal credential addition | Application.ReadWrite.All → add secret to existing high-priv app | Persistent high-privilege access |
| Conditional Access policy modification | CA Administrator role | Disable MFA/device compliance requirements |
| Entra Connect / Sync account | Has DCSync rights in on-prem AD + can sync passwords | Hybrid pivot: cloud → on-prem |
| Pass-the-PRT | Steal Primary Refresh Token from Windows device | Bypass Conditional Access device compliance checks |
Okta
| Attack Path | Primitive |
|---|---|
| Org-level Super Admin compromise | Full Okta tenant control |
| MFA policy gap | Policy requires MFA for app but not for Okta admin console |
| Push bombing | Flood Okta Verify push requests until user accepts |
| Okta API token theft | Long-lived token with admin scope |
| SCIM provisioning abuse | Modify user attributes via SCIM → privilege escalation in downstream apps |
AWS IAM
| Attack Path | Primitive |
|---|---|
iam:PassRole | Escalate by passing high-priv role to Lambda, EC2, etc. |
iam:AttachUserPolicy | Attach AdministratorAccess policy to self |
iam:CreateLoginProfile | Create console credentials for user without them |
iam:CreateAccessKey | Create new access key for another user |
STS AssumeRole role chaining | Hop through roles to reach higher privileges |
| SSRF → IMDSv1 → STS token | No IMDSv2 enforcement → SSRF leaks instance role credentials |
| Cross-account role trust misconfiguration | sts:AssumeRole with * principal → anyone can assume role |
4. Session & Token Layer
Tokens are the runtime identity. Stealing a valid token is often easier than cracking credentials.
| Token Type | Lifetime | Theft Method | Attack |
|---|---|---|---|
| Kerberos TGT | 10 hours | LSASS dump, Rubeus dump | Pass-the-Ticket |
| Kerberos service ticket | 10 hours | LSASS dump | Pass-the-Ticket to specific service |
| OAuth access token | 60–90 min | Browser memory, token log leakage | API access as victim |
| OAuth refresh token | 90 days (default Entra) | Malware, phishing, endpoint compromise | Long-term persistence past password reset |
| SAML assertion | Short (minutes) | MitM, log interception, response injection | SP authentication as any user |
| Primary Refresh Token (PRT) | 14 days | Mimikatz lsadump::cloudap, AzureADJoinedMachinePTT | Bypass Conditional Access device checks |
| AWS STS session token | 1–36 hours | IMDS response, credential file, env vars | Temporary AWS API access |
| GCP access token | 1 hour | IMDS response, ADC file | GCP API access |
| Cookie / session token | Varies | XSS, network interception, endpoint theft | Web application session hijacking |
Key insight for detection: token-based attacks authenticate through normal channels — they appear identical to legitimate access. Detection must focus on the context of authentication (device, location, time, behavioral baseline) not just the credential check result.
5. Federation & Trust Attack Surface
Federation extends trust across boundaries. Each trust boundary is a potential pivot.
| Trust Mechanism | Attack | Condition |
|---|---|---|
| SAML federation (AD → Entra ID via ADFS) | Golden SAML | Compromise ADFS server signing cert |
| Kerberos cross-domain trust | SID history injection | DA in child domain + SID filtering disabled |
| Kerberos cross-forest trust | Limited — SID filtering applies by default | Forest trust with EnableSIDHistory |
| OAuth consent delegation | Illicit consent grant | User approves malicious app |
| OIDC workload identity federation | Token subject/audience bypass | Misconfigured OIDC trust policy |
| AD → Entra ID Connect sync | Sync service account compromise | Sync account has DCSync + password write-back |
AWS cross-account AssumeRole | Lateral movement to other AWS accounts | Trust policy allows unexpected principals |
Hybrid environments are the highest-risk federation scenario. The Entra ID Connect sync account has Replicate Directory Changes rights in on-prem AD (DCSync-equivalent) AND write-back to Entra ID. Compromising it collapses the on-prem/cloud isolation entirely.
6. Certificate Infrastructure (PKI)
ADCS is a force multiplier for AD attackers. A single misconfigured template can yield Domain Admin in seconds.
| Component | Weakness | Attack |
|---|---|---|
Certificate template with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT | Low-priv user specifies SAN = any UPN | ESC1 — request cert as Domain Admin |
| Template ACL (WriteDACL/GenericWrite) | Modify template to introduce ESC1 | ESC4 |
CA with EDITF_ATTRIBUTESUBJECTALTNAME2 flag | All templates allow SAN override | ESC6 |
CA with ManageCA / ManageCertificates ACL | Approve requests, change CA flags | ESC7 |
| ADCS HTTP enrollment endpoint (certsrv) | NTLM relay to /certsrv/certfnsh.asp | ESC8 — relay DC machine auth → get DC cert → DCSync |
| CA private key compromise | Forge certificates for any principal | CA key theft |
| Certificate theft | Export cert + private key from Windows store | Persistent auth past password reset |
The ESC8 + coercion combination deserves special attention: coerce the DC to authenticate (PetitPotam), relay to certsrv, get a certificate for the DC machine account, then use PKINIT to get the DC's TGT + NTLM hash, then DCSync. This chain goes from network position + unauthenticated → full domain compromise.
7. Non-Human Identities (NHI)
Non-human identities are the fastest-growing and least-monitored attack surface. They outnumber human accounts in most enterprises by 10–100:1.
| NHI Type | Common Weakness | Attack |
|---|---|---|
| Service accounts (AD) | Over-privileged, infrequently rotated, SPN set | Kerberoasting, PtH after endpoint compromise |
| Managed service accounts | Better — key managed by AD | Machine account compromise |
| Application service principals (Entra ID) | Over-broad permissions, multiple credentials, no MFA | Client secret theft → API access as app |
| API keys (AWS access keys) | Committed to repos, in env vars, not rotated | Key exfil → IAM access |
| GitHub Actions tokens / OIDC | Repository compromise, misconfigured OIDC | Supply chain access |
| CI/CD credentials | Jenkins, GitLab runner secrets | Runner compromise → secret dump |
| GCP service account keys | Downloadable JSON key files | Key exfil → GCP API as SA |
| Kubernetes service accounts | Token auto-mounted into every pod | Container breakout → cloud metadata |
NHIs are attractive because:
- Passwords/secrets rarely rotate
- No MFA
- High privilege (applications need broad access)
- Activity is harder to baseline (automated behavior looks strange to behavioral analytics)
8. Privileged Access Layer
Privilege amplifies every other attack. These are structural weaknesses, not protocol-specific.
| Weakness | Impact | Mitigation Direction |
|---|---|---|
| Tier 0 assets not isolated | DC, CA, ADFS compromise from Tier 1/2 pivot | Tiered administration model |
| Permanent privileged roles | Always-on Global Admin, DA | PIM / JIT privilege |
| Admin accounts used for email / web browsing | Phishing lands a privileged session | Separate admin accounts |
| Local admin password reuse (no LAPS) | Single hash compromise → lateral movement across all machines | LAPS deployment |
| Shadow admin accounts | Accounts with effective DA rights via ACL chains but not in Domain Admins group | BloodHound-class path analysis |
adminCount=1 objects | Excluded from inheritance — need explicit ACL review | Regular ACL audits |
| Protected Users group not used | Disables NTLM, Kerberos delegation, credential caching | Add sensitive users to Protected Users |
Attack Surface by Environment
| Environment | Highest-Risk Components | Primary Attack Chains |
|---|---|---|
| On-premises AD | NTDS.dit, LSASS, ADCS, unconstrained delegation | Kerberoasting → PtH → DCSync → Golden Ticket |
| Entra ID (cloud-only) | Global Admin, app registrations, PIM, refresh tokens | Device code phishing → token theft → GA escalation |
| Hybrid (AD + Entra ID) | Entra Connect sync account, ADFS signing cert, PRT | On-prem pivot → Entra Connect → cloud escalation; or Golden SAML |
| AWS | IAM roles with PassRole, STS, IMDS | SSRF → IMDS → STS → role chain → admin |
| Multi-cloud | OIDC federation, cross-provider trust | Token forgery, audience confusion, cross-cloud lateral movement |
Attacker Decision Tree
When an attacker lands on a domain-joined Windows host, the typical identity surface evaluation order:
1. What credentials are in LSASS? → dump → PtH or PtT
2. What accounts have SPNs? → Kerberoasting → crack → elevate
3. What ACL paths exist to DA? → BloodHound → ACL abuse chain
4. Is ADCS deployed? → certipy find → ESC1/ESC8 → cert → DA
5. Is there an ADFS server? → compromise → Golden SAML → cloud access
6. What service accounts exist? → enumerate SPN + weak password → crack
7. Are there any cross-trust paths? → SID history, trust transitivity
For cloud-native initial access:
1. Stolen credentials + no MFA → direct IDP auth
2. Stolen credentials + MFA → device code phishing OR MFA fatigue
3. App registration secret in code repo → client credentials flow
4. SSRF in app → IMDS → cloud IAM token → privilege escalation
5. OAuth consent phishing → delegated access to victim's data
Threat Actor Targeting Patterns
Different threat actor categories prioritize different identity surface components:
| Actor Category | Preferred Identity Surface | Evidence Label |
|---|---|---|
| Ransomware operators | AD credential access (DCSync, PtH) for mass encryption; DA for GPO-based deployment | Observed — multiple IR reports across groups |
| Nation-state (espionage) | SAML/token-based cloud access (low noise, persistent); ADFS Golden SAML for long-term M365 access | Reported — SolarWinds/SUNBURST, Midnight Blizzard reporting |
| BEC / financial fraud | OAuth consent abuse, token theft for M365 mailbox access | Reported — multiple vendor reports on BEC technique evolution |
| Cloud-native attackers | SSRF → IMDS, role chaining in AWS/GCP, Entra ID app registration abuse | Observed — cloud IR reports |
| Insider threat | Legitimate credential use for unauthorized access — hardest to detect | Assessed — behavioral analytics is primary detection layer |
Evidence label definitions: Observed = confirmed in IR/forensic evidence; Reported = documented by vendors/researchers, not independently confirmed; Assessed = analytic judgment from patterns, not direct evidence
Cross-Links
| Topic | Link |
|---|---|
| Kerberos Protocol | Kerberos |
| NTLM Protocol | NTLM |
| ADCS | ADCS |
| Entra ID / OAuth2 | OAuth2 |
| SAML | SAML |
| AD Attacks | AD Attack Index |
| Cloud Attacks | Cloud Attack Index |
| ADCS Attacks | ESC1 |
| Detection Framework | Detection Framework |