ITDR Professional Roadmap
Identity is the dominant attack surface in modern enterprise. Over 80% of breaches involve compromised credentials or identity misconfigurations. This roadmap covers everything needed to operate professionally as an Identity Threat Detection & Response engineer — from protocol fundamentals to adversary-grade attack knowledge to production detection engineering.
How to Use This Roadmap
The path is structured in 6 phases. Complete them in order — each phase builds on the previous. A professional ITDR engineer needs depth in all six, not just detection or just protocols.
| Phase | Domain | Estimated time |
|---|---|---|
| Phase 1 | Identity Foundations | 2–3 weeks |
| Phase 2 | Identity Systems & Protocols | 4–6 weeks |
| Phase 3 | Attack Techniques | 6–8 weeks |
| Phase 4 | Detection Engineering | 6–8 weeks |
| Phase 5 | Response & Forensics | 3–4 weeks |
| Phase 6 | Tools, Certs & Capstone | 4–6 weeks |
Total: ~6 months for a practitioner entering the field. ~3 months for someone with existing security engineering background.
Phase 1: Identity Foundations
Goal: Understand what identity security is, why it matters, and how modern enterprises think about it before learning any attack or detection technique.
Core Concepts
| Concept | What you must understand |
|---|---|
| AuthN vs AuthZ | Authentication proves identity. Authorization grants access. Most attacks target authentication to bypass authorization. |
| Identity as perimeter | The network perimeter is gone. Identity is the new control plane — every access decision flows through it. |
| Credential lifecycle | Provisioning → authentication → re-authentication → de-provisioning. Each stage is an attack surface. |
| Principal types | Human users, service accounts, machine identities, managed identities, workload identities — all have different risk profiles. |
| Privilege tiers | Tier 0 (domain/cloud admin), Tier 1 (server admin), Tier 2 (workstation user). Lateral movement = moving up tiers. |
| Zero Trust | "Never trust, always verify" is the design principle. Identity is the verification mechanism. |
| Federation | Trust relationships between identity providers (SAML, OAuth, OIDC). Federation misconfigs = cross-domain compromise paths. |
Key Questions You Must Be Able to Answer
- What is the difference between a service account and a managed identity?
- Why is Kerberos delegation dangerous?
- What is the difference between MFA bypass and MFA fatigue?
- Why does identity-based lateral movement leave fewer artifacts than malware?
- What is the kill chain from phishing → credential theft → domain compromise?
Reading
- What is ITDR?
- What is Identity?
- Identity as the Perimeter
- Identity Attack Surface
- Identity Frameworks
Phase 2: Identity Systems & Protocols
Goal: Understand every major identity system deeply enough to reason about its attack surface. You cannot detect or investigate attacks you don't understand technically.
2.1 Active Directory (Priority: Critical)
Active Directory is the most-attacked identity system on earth. Every enterprise security role requires AD expertise.
| Topic | Why it matters |
|---|---|
| AD architecture | Forests, domains, trusts, OUs, sites — trust relationships are lateral movement paths |
| Kerberos | TGT/TGS flow, PAC, SPN registration — foundation of 80% of AD attacks |
| NTLM | Legacy protocol, relay attack surface, why it persists |
| LDAP | Directory queries, attribute enumeration, BloodHound uses LDAP |
| Group Policy | GPO delivery, GPO abuse for persistence and lateral movement |
| AD trusts | External, forest, shortcut trusts — SID filtering and why it matters |
| ADCS | Certificate templates, enrollment endpoints, ESC misconfigurations |
| DSRM / NTDS.dit | Domain database — the ultimate target |
Reading: AD Overview · Kerberos · NTLM · LDAP · Group Policy · AD Trusts · ADCS
2.2 Microsoft Entra ID / Azure AD (Priority: Critical)
Most enterprises run hybrid. Cloud identity attacks are now the dominant intrusion vector.
| Topic | Why it matters |
|---|---|
| Entra ID architecture | Tenants, directories, objects, hybrid join models |
| OAuth 2.0 | Authorization framework — consent, scopes, token types, refresh token abuse |
| OIDC | Authentication layer on OAuth — ID token structure, claims |
| SAML 2.0 | Federation protocol — Golden SAML attack surface |
| Conditional Access | Policy enforcement — CA bypass techniques |
| PIM | Privileged Identity Management — JIT access, eligible vs active roles |
| Entra ID Protection | Risk-based policies — how they work and how attackers evade them |
| Entra Connect Sync | Hybrid sync — on-prem compromise → cloud escalation path |
| WS-Federation | Legacy federation — ADFS attack surface |
Reading: Entra Overview · OAuth 2.0 · OIDC · SAML · Conditional Access · PIM · Identity Protection
2.3 Okta (Priority: High)
Okta is the dominant cloud IdP for non-Microsoft environments. High-value target — 2022 Lapsus$ breach, 2023 support system breach.
Reading: Okta Overview · Okta MFA · Okta Policies · SCIM
2.4 AWS IAM (Priority: High for cloud-heavy environments)
Reading: AWS IAM Overview · AWS STS · IAM Identity Center · Cognito
2.5 PKI, Certificates & Passkeys (Priority: High — increasingly exploited)
Reading: PKI Overview · X.509 Certificates · FIDO2/WebAuthn · Passkeys · Smart Cards
2.6 Other Systems (Baseline Awareness)
| System | Minimum you must know |
|---|---|
| Linux PAM / SSSD | How Linux joins AD/LDAP, sudo configuration, Kerberos on Linux |
| Kubernetes RBAC | Service account token abuse, RBAC misconfigs, SPIFFE/SPIRE |
| Google Workspace | SAML federation, GCP IAM, Workload Identity Federation |
| RADIUS / TACACS+ | Network device authentication — often overlooked attack surface |
| Open source (FreeIPA, 389-DS, OpenLDAP) | Used in government and regulated industries |
Reading: Linux PAM · Linux Kerberos · K8s RBAC · Google Workspace · RADIUS
Phase 3: Attack Techniques
Goal: Understand every major identity attack technique at the technical level — not just names, but mechanics, tooling, detection gaps, and real-world usage by threat actors.
"You cannot detect what you do not understand. You cannot investigate what you have never seen."
3.1 Active Directory Attacks
Credential Theft & Lateral Movement
| Attack | MITRE | Core mechanism |
|---|---|---|
| Kerberoasting | T1558.003 | Request TGS for SPN-registered accounts → offline crack NTLM hash |
| AS-REP Roasting | T1558.004 | Request AS-REP for accounts with pre-auth disabled → offline crack |
| Pass-the-Hash | T1550.002 | Reuse NTLM hash without knowing plaintext password |
| Pass-the-Ticket | T1550.003 | Inject Kerberos TGT/TGS into session for impersonation |
| Overpass-the-Hash | T1550.002 | Convert NTLM hash to Kerberos TGT |
| NTLM Relay | T1557.001 | Intercept and relay NTLM authentication to other services |
Reading: Kerberoasting · AS-REP Roasting · Pass-the-Hash · Pass-the-Ticket
Persistence & Domain Escalation
| Attack | MITRE | Core mechanism |
|---|---|---|
| Golden Ticket | T1558.001 | Forge TGT using KRBTGT hash — unlimited domain access |
| Silver Ticket | T1558.002 | Forge TGS for specific service using service account hash |
| DCSync | T1003.006 | Simulate DC replication to pull NTLM hashes from NTDS.dit |
| DCShadow | T1207 | Register a rogue DC to inject malicious objects into AD |
| Skeleton Key | T1556.001 | Patch lsass.exe to accept a master password for all accounts |
| SID History Abuse | T1134.005 | Inject privileged SID into account's SID History |
| AdminSDHolder Abuse | T1003 | Modify AdminSDHolder ACL for persistent privileged access |
Reading: Golden Ticket · Silver Ticket · DCSync · DCShadow · Skeleton Key · SID History · AdminSDHolder
Delegation & ACL Abuse
| Attack | MITRE | Core mechanism |
|---|---|---|
| Unconstrained Delegation | T1550.003 | Any user authenticating to delegated machine → TGT captured |
| Constrained Delegation | T1550.003 | S4U2Self/S4U2Proxy abuse for targeted impersonation |
| RBCD (Resource-Based) | T1550.003 | Write msDS-AllowedToActOnBehalfOfOtherIdentity — powerful escalation |
| ACL Abuse | T1222 | GenericAll, WriteDACL, WriteOwner, GenericWrite on AD objects |
Reading: Unconstrained Delegation · Constrained Delegation · RBCD · ACL Abuse
3.2 ADCS / Certificate Attacks
| Attack | Mechanism |
|---|---|
| ESC1 | Misconfigured certificate template — enroll cert as any user |
| ESC4 | Write permissions on template → modify to be ESC1-vulnerable |
| ESC8 | NTLM relay to ADCS HTTP endpoint → domain escalation |
| Certificate theft | Extract certs from user/machine stores for persistent auth |
Reading: ESC1 · ESC4/ESC8 · Certificate Theft
3.3 Cloud Identity Attacks (Entra ID / M365)
| Attack | MITRE | Core mechanism |
|---|---|---|
| AiTM Phishing | T1557 | Reverse proxy captures session cookie post-MFA — bypasses MFA entirely |
| Device Code Phishing | T1528 | Trick user into authorizing attacker-controlled device |
| Pass-the-PRT | T1550.004 | Steal Primary Refresh Token for seamless SSO as victim |
| Illicit Consent Grant | T1528 | Malicious OAuth app gains persistent access to M365 data |
| MFA Fatigue | T1621 | Flood MFA push notifications until user approves |
| Golden SAML | T1606.002 | Forge SAML assertions using ADFS/AD service signing key |
| Service Principal Abuse | T1098.001 | Add credentials to SP for persistent backdoor application |
| Managed Identity Abuse | T1552.007 | Steal managed identity token from Azure compute metadata endpoint |
| OAuth Token Theft | T1528 | Steal access/refresh tokens from browser, cache, or network |
| Conditional Access Bypass | T1556 | Legacy auth, trusted IP abuse, CA policy gaps |
| SCIM Abuse | T1136.003 | Exploit SCIM provisioning to create unauthorized accounts |
Reading: AiTM Phishing · Device Code Phishing · Pass-the-PRT · Illicit Consent Grant · MFA Fatigue · Golden SAML · OAuth Token Theft · CA Bypass
3.4 SaaS & Cross-Platform Attacks
Reading: Session Hijacking · Shadow Admin · API Token Abuse · OAuth App Abuse · Hybrid Attack Chains · MFA Bypass Techniques
3.5 Offensive Tools You Must Know (to understand what you're detecting)
| Tool | Category | What it does |
|---|---|---|
| Mimikatz | Credential dumping | LSASS dump, pass-the-hash, Golden/Silver Ticket, DCSync |
| Impacket | Python AD toolkit | secretsdump, GetSPN, psexec, ntlmrelayx, wmiexec |
| BloodHound / SharpHound | AD enumeration | Graph attack paths, ACL analysis, delegation chains |
| Rubeus | Kerberos toolkit | Kerberoasting, AS-REP roast, ticket injection, S4U abuse |
| CrackMapExec / NetExec | Network enumeration | SMB/LDAP/WinRM enumeration, spray, exec |
| PowerView | AD recon | AD object enumeration via PowerShell |
| ROADtools | Entra ID recon | Enumerate Entra ID objects, permissions, roles |
| AADInternals | Entra ID attack toolkit | Token operations, ADFS Golden SAML, PRT theft |
| TokenTacticsV2 | OAuth token abuse | Refresh, forge, and abuse M365/Entra tokens |
| Evilginx2 | AiTM framework | Reverse proxy phishing capturing session cookies |
| Certify / Certipy | ADCS attack toolkit | Find and exploit ESC vulnerabilities |
Phase 4: Detection Engineering
Goal: Build detection rules and hunting queries for every attack in Phase 3. Know the exact log sources, event IDs, and behavioral signatures for each technique.
4.1 Log Sources & Telemetry Map
Understanding where evidence lives is the foundation of detection.
Windows Event Log (Critical Event IDs)
| Event ID | Event | Detection value |
|---|---|---|
| 4624 | Successful logon | Logon type, source IP, account — baseline and alert on anomalies |
| 4625 | Failed logon | Password spraying, brute force — volume and distributed patterns |
| 4648 | Explicit credential logon | RunAs, PtH indicators |
| 4672 | Special privileges assigned | Privileged logon — monitor for sensitive accounts |
| 4768 | Kerberos TGT requested | Kerberoasting: encryption type RC4 (0x17) from non-DC hosts |
| 4769 | Kerberos TGS requested | Kerberoasting: RC4 TGS for SPNs from unusual accounts |
| 4770 | Kerberos ticket renewed | Golden Ticket: ticket renewal with anomalous PAC |
| 4776 | NTLM authentication | NTLM relay detection, LM hash usage |
| 4662 | Object accessed | DCSync: replication permissions (1131f6aa/1131f6ad GUIDs) |
| 4728/4732/4756 | Group membership changes | Privilege escalation — monitor DA/EA/BA groups |
| 4720/4722/4726 | Account lifecycle | Account creation/enable/delete — detect unauthorized provisioning |
| 4698/4702 | Scheduled task created/modified | Persistence mechanism — detect encoded commands |
| 4103/4104 | PowerShell module/script block | Offensive PowerShell — BloodHound, PowerView, encoded commands |
| 4697/7045 | Service installation | Persistence — detect unusual service paths |
| 4742 | Computer account changed | RBCD setup — msDS-AllowedToActOnBehalfOfOtherIdentity modification |
Microsoft Defender for Identity (MDI) — Key Alerts
MDI provides behavioral detections that raw event logs miss:
- Suspected DCSync attack (replication from non-DC)
- Suspected Golden Ticket usage (non-existent account, expired PAC)
- Suspected Skeleton Key attack (lsass.exe modification)
- Suspected Kerberoasting activity (multiple RC4 TGS requests)
- Suspected AS-REP roasting
- Suspected identity theft using Pass-the-Hash
- Suspected Pass-the-Ticket attack
- Suspected overpass-the-hash attack
- Honeytoken activity (access to decoy accounts)
- Suspected NTLM relay attack
- Domain controller RPC call
- ADCS privilege escalation (ESC1–ESC8)
Entra ID / M365 Log Sources
| Source | What it provides |
|---|---|
| Entra Sign-in Logs | Interactive, non-interactive, SP sign-ins, MFA results, CA policy outcomes, risk level |
| Entra Audit Logs | Object changes — role assignments, app registrations, group membership, policy changes |
| Entra ID Protection Risk Events | Risk detections: leaked credentials, impossible travel, anonymous IP, malicious IP, unfamiliar sign-in properties |
| M365 Unified Audit Log | Exchange, SharePoint, Teams, OneDrive activity — data access after credential theft |
| Azure Activity Log | Resource-level operations in Azure — role assignments, managed identity usage |
| Microsoft Defender for Cloud Apps (MCAS) | SaaS activity, impossible travel, mass download, OAuth app activity |
4.2 KQL Hunting Queries (Must-Know)
You must be able to write KQL (Kusto Query Language) for Microsoft Sentinel. Key patterns:
Kerberoasting (Event 4769):
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4 — weak encryption
| where TargetUserName !endswith "$" // not machine accounts
| where ServiceName !startswith "krbtgt"
| summarize Count=count(), Accounts=make_set(TargetUserName)
by bin(TimeGenerated, 5m), IpAddress
| where Count > 5
DCSync Detection (Event 4662):
SecurityEvent
| where EventID == 4662
| where ObjectType has "domainDNS"
| where Properties has "1131f6aa" or Properties has "1131f6ad" // Replication permissions
| where not(SubjectUserName endswith "$") // exclude machine accounts
| where not(SubjectUserName in ("MSOL_*", "AADConnect")) // exclude sync accounts
Golden Ticket (Event 4769 — expired/future ticket):
SecurityEvent
| where EventID == 4769
| extend TicketStart = extractjson("$.TicketStart", EventData)
| extend TicketEnd = extractjson("$.TicketEnd", EventData)
| where datetime_diff('hour', todatetime(TicketEnd), todatetime(TicketStart)) > 10
AiTM / Session Token Theft (Entra Sign-in Logs):
SigninLogs
| where ResultType == 0
| summarize Countries=make_set(Location), IPs=make_set(IPAddress),
Devices=make_set(DeviceDetail.deviceId)
by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Countries) > 1 // multiple countries in 1 hour
Impossible Travel:
SigninLogs
| where ResultType == 0
| order by UserPrincipalName, TimeGenerated asc
| extend PrevTime = prev(TimeGenerated), PrevLocation = prev(Location),
PrevIP = prev(IPAddress)
| where UserPrincipalName == prev(UserPrincipalName)
| where Location != PrevLocation
| extend HoursBetween = datetime_diff('hour', TimeGenerated, PrevTime)
| where HoursBetween < 4
Illicit Consent Grant:
AuditLogs
| where OperationName == "Consent to application"
| extend AppName = tostring(TargetResources[0].displayName)
| extend ConsentedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend Permissions = tostring(AdditionalDetails)
| where Permissions has_any ("Mail.Read", "Files.ReadWrite", "User.ReadWrite.All")
MFA Fatigue (repeated MFA push denials):
SigninLogs
| where AuthenticationDetails has "MFA"
| where ResultType == 50074 or ResultType == 500121 // MFA denied / requirements
| summarize DeniedCount = count() by UserPrincipalName, bin(TimeGenerated, 10m)
| where DeniedCount > 5
4.3 Sigma Rules
Sigma is the vendor-neutral detection rule format. Every ITDR engineer must be able to write and convert Sigma rules.
Core Sigma rules for identity (must know these exist and be able to write them):
win_security_susp_rc4_kerberos.yml— Kerberoastingwin_security_dcsync.yml— DCSync via 4662win_security_susp_ntlm_auth.yml— NTLM relay indicatorswin_security_admin_share_lateral_movement.yml— PtH lateral movementwin_security_susp_lsass_access.yml— LSASS credential dumping
4.4 Detection Framework & DRL Levels
Reading: Detection Framework
Detection Readiness Levels (DRL):
| Level | Description |
|---|---|
| DRL 1 | Technique documented, log source identified |
| DRL 2 | Detection query written |
| DRL 3 | Query tested against sample data |
| DRL 4 | Deployed in SIEM with tuning complete |
| DRL 5 | Validated in lab against real attack tool output |
4.5 Detection Engineering per Attack
Reading: Detect Kerberoasting · Detect DCSync · Detect Golden Ticket · Detect PtH · Detect PtT · Detect AS-REP Roasting · Detect ACL Abuse
Cloud: Detect Device Code Phishing · Detect Golden SAML · Detect MFA Fatigue · Detect OAuth Abuse · Detect Certificate Attacks
4.6 UEBA — User & Entity Behavior Analytics
UEBA detects attacks that signature rules miss by establishing behavioral baselines and alerting on deviations.
Behavioral signals to baseline:
- Logon hours (time of day, day of week)
- Source IP ranges and geolocations
- Device usage patterns (registered vs. new devices)
- Application access patterns
- Data volume (email sent, files accessed)
- Administrative action frequency
- Peer group comparison (does this user behave like others in the same role?)
Key UEBA detection patterns:
- New country logon for account (impossible travel)
- Admin tool execution by non-admin account
- Bulk object access after credential event
- Password reset followed by immediate sensitive data access
- Service account logging in interactively
- Dormant account suddenly active
- Unusual lateral movement pattern (new internal hosts)
Phase 5: Response & Forensics
Goal: Know how to respond to and investigate identity-based incidents — from first alert triage to full containment and root cause analysis.
5.1 Incident Triage Framework for Identity Alerts
Step 1 — Scope the credential event:
- Which account was affected?
- What is the account's privilege tier? (Tier 0/1/2)
- What systems/services did it authenticate to?
- What data was accessed?
Step 2 — Determine the attack type:
- Credential stuffing / spraying → investigate initial access vector
- Kerberoasting → assess which service accounts are crackable
- Golden Ticket → assume full domain compromise
- AiTM / session theft → identify session scope and data accessed
Step 3 — Contain:
- Tier 0 compromise → isolate DCs, reset KRBTGT twice (48hr interval), rotate all privileged credentials
- Cloud credential theft → revoke all sessions, rotate secrets, enable CA policy
- Single account compromise → disable, reset, revoke sessions, audit access
Step 4 — Investigate:
- Pull timeline of all authentication events
- Identify all systems the attacker accessed
- Trace lateral movement path
- Identify persistence mechanisms
Step 5 — Remediate:
- Remove persistence (scheduled tasks, service registrations, backdoor app registrations)
- Reset all affected credentials
- Patch the vulnerability that enabled initial access
- Update detections to catch the technique earlier next time
5.2 Golden Ticket Containment (Critical Procedure)
Golden Ticket response is the most complex identity incident you will face. The KRBTGT hash must be rotated twice with at least 10 hours between rotations (to exceed the default TGT maximum lifetime of 10 hours). All domain controllers must replicate the new hash before the second rotation.
Steps:
- Identify all DCs and verify replication health
- Reset KRBTGT password (rotation 1)
- Wait 10+ hours (all existing TGTs expire)
- Reset KRBTGT password again (rotation 2)
- Force re-authentication of all privileged accounts
- Monitor for use of old TGTs post-rotation
5.3 Digital Forensics for Identity Incidents
On-premises artifact collection:
NTDS.dit+SYSTEMregistry hive — extract all domain hashes (with legal authorization)- Windows Event Log (EVTX files) — 4624, 4625, 4768, 4769, 4662, 4104
- LSASS memory dump — identify what was extracted
- PowerShell transcription logs
- WMI activity logs
- Scheduled task XMLs
Forensic tools:
| Tool | Purpose |
|---|---|
| secretsdump (Impacket) | Parse NTDS.dit — understand what attacker could extract |
| Chainsaw | Fast EVTX log analysis with Sigma rule matching |
| Velociraptor | Live forensic collection at scale |
| Volatility | Memory forensics — analyze LSASS dump |
| Plaso / Log2timeline | Timeline construction from multiple log sources |
Cloud evidence collection (Entra ID):
- Entra Sign-in Logs (30 days default, up to 90 days with P2)
- Entra Audit Logs
- M365 Unified Audit Log (up to 180 days)
- Microsoft Defender for Identity timeline
- Microsoft Defender for Cloud Apps activity log
5.4 Key Indicators of Identity Compromise
Watch for these in any investigation:
| Indicator | Possible attack |
|---|---|
| NTLM Type 3 from unexpected host | Pass-the-Hash lateral movement |
| RC4 Kerberos TGS for service accounts | Kerberoasting |
| 4662 with replication permission GUIDs from non-DC | DCSync |
| Ticket lifetime > 600 minutes | Golden Ticket |
| KRBTGT TGT without corresponding AS-REQ | Golden Ticket |
| Sign-in from two countries within 1 hour | Session theft / AiTM |
| New MFA device registration after risky sign-in | Account takeover |
| OAuth app consent for Mail.Read by new app | Illicit consent grant |
| Entra role assignment outside normal business hours | Privilege escalation |
| New service principal credential added | Backdoor application |
Phase 6: Tools, Certifications & Capstone
6.1 Defensive Platform Expertise
| Platform | What to master |
|---|---|
| Microsoft Defender for Identity (MDI) | Alert types, sensor deployment, honeytoken configuration, lateral movement paths |
| Microsoft Sentinel | Identity analytics rules, UEBA configuration, watchlists, incident workflow |
| Entra ID Protection | Risk policies, risky users/sign-ins, remediation workflows |
| Microsoft Defender for Cloud Apps | Shadow IT, impossible travel, OAuth app governance |
| CyberArk / BeyondTrust / Delinea | PAM architecture, session recording, just-in-time access |
| SailPoint / Saviynt | IGA workflows, access certification, role mining, SoD enforcement |
6.2 PAM, IGA & MFA Depth
Reading: PAM Overview · IGA Overview · MFA Technologies
PAM (Privileged Access Management): CyberArk, BeyondTrust, Delinea. Vault privileged credentials, enforce session recording, JIT access, emergency break-glass procedures.
IGA (Identity Governance & Administration): SailPoint, Saviynt, Omada. Access request workflows, certification campaigns, role mining, Separation of Duties enforcement, RBAC governance.
MFA Technologies: TOTP, FIDO2/WebAuthn, push notifications, SMS (avoid), hardware tokens (YubiKey). Know the attack surface of each: SMS = SIM swap, push = fatigue, TOTP = AiTM capture. FIDO2 is phishing-resistant.
6.3 Certifications — Recommended Path
| Certification | Body | Focus | Priority |
|---|---|---|---|
| SC-300 | Microsoft | Identity and Access Administrator — Entra ID, Conditional Access, PIM, IGA | High |
| SC-200 | Microsoft | Security Operations — includes MDI, Sentinel, identity detection | High |
| AZ-500 | Microsoft | Azure Security Engineer — cloud identity and access controls | Medium |
| CyberArk Trustee | CyberArk | PAM fundamentals | Medium |
| CyberArk Defender | CyberArk | PAM detection and defense | Medium |
| GIAC GCIH | SANS/GIAC | Incident handler — identity IR scenarios | High |
| GIAC GCED | SANS/GIAC | Enterprise defender — detection engineering | Medium |
| CRTO | Zero-Point Security | Red team operations — deep AD attack chain knowledge | High (for detection context) |
| CRTE | Altered Security | AD attack chains, Kerberos, trust abuse | High (for detection context) |
| OffSec OSCP | OffSec | Penetration testing — foundational attack context | Medium |
6.4 Labs to Build
Reading: Lab Architecture · AD Lab Setup · Entra ID Lab · Linux Lab · Okta Lab
Minimum home lab:
- Windows Server 2022 DC (Active Directory)
- Windows 10/11 workstation (domain-joined)
- Kali Linux or Windows attack machine
- Microsoft 365 E5 Developer tenant (free 90-day trial)
- Microsoft Sentinel workspace connected to both
What to simulate in your lab (in order):
- Kerberoasting → detection via 4769 event
- AS-REP Roasting → detection via 4768
- DCSync with Mimikatz → detection via 4662
- Golden Ticket → detection via 4769 anomalies
- Pass-the-Hash → detection via 4624 Type 3 patterns
- BloodHound enumeration → detection via LDAP query volume
- AiTM phishing with Evilginx2 → detection via Entra risk events
- Device code phishing → detection via AADInternals or manual
- ESC1 certificate abuse → detection via Certipy + 4886/4887
6.5 Simulation Scenarios
Reading: Simulation Framework · Domain Compromise Chain · Cloud Identity Takeover · Hybrid Golden SAML · Certificate Escalation
6.6 Vendor Landscape Awareness
Reading: ITDR Vendor Landscape
Know the major ITDR vendors and what detection gaps they fill:
- Microsoft Defender for Identity — AD/hybrid, Kerberos attack detection
- CrowdStrike Falcon Identity Protection — AD + cloud, real-time blocking
- SentinelOne Identity (Attivo) — deception, honeytoken, lateral movement detection
- Illusive Networks — deception-based identity attack detection
- Semperis — AD resilience, forest recovery, threat detection
- Silverfort — agentless MFA enforcement across all systems
- Vectra AI — behavioral AI for identity attack patterns
Skills Assessment
Use this as a self-evaluation. A professional ITDR engineer can:
Foundations
- Explain Kerberos TGT/TGS flow from memory
- Describe the OAuth 2.0 authorization code flow and where tokens are stolen
- Explain why NTLM relay attacks work and how to prevent them
- Define the difference between Golden Ticket and Silver Ticket
- Explain how AiTM phishing bypasses MFA
Attack Knowledge
- Run Kerberoasting with Rubeus and crack a hash with hashcat
- Execute DCSync with Mimikatz and explain what was extracted
- Use BloodHound to find the shortest path to Domain Admin
- Set up a basic RBCD attack chain
- Demonstrate MFA fatigue against an M365 test account
- Simulate device code phishing and capture a token
Detection Engineering
- Write a KQL rule detecting Kerberoasting from Windows Security Events
- Write a Sigma rule for DCSync detection
- Build an Entra impossible travel hunting query
- Deploy a Sentinel analytic rule from a Sigma rule using sigmac/pySigma
- Configure MDI honeytokens and test detection
Response
- Contain a Golden Ticket compromise (KRBTGT double-rotation)
- Revoke all active sessions for a compromised M365 account
- Parse an NTDS.dit file and identify crackable hashes
- Reconstruct an attack timeline from EVTX logs using Chainsaw
Reading List
Essential Books
- The Hacker Playbook 3 — Red team tactics including AD attacks
- Active Directory Security — Sean Metcalf (adsecurity.org)
- Certified Pre-Owned — Will Schroeder & Lee Christensen (ADCS research)
Essential Blogs / Resources
- adsecurity.org — Sean Metcalf's AD security deep dives (canonical reference)
- dirkjanm.io — Dirk-jan Mollema's research (ADCS, Azure AD, NTLM relay)
- blog.harmj0y.net — Will Schroeder's offensive AD research
- posts.specterops.io — SpecterOps team research (BloodHound team)
- o365blog.com — Dr. Nestori Syynimaa's Entra ID / ADFS research (AADInternals author)
- cloud.hacktricks.xyz — Practical cloud attack techniques
- attack.mitre.org — ATT&CK technique catalog (TA0006 Credential Access)
Microsoft Documentation (Required Reading)
- Microsoft Defender for Identity alerts reference
- Entra ID Protection risk detections
- Azure AD security operations guide
- Protecting Microsoft 365 from on-premises attacks
Roadmap Summary
Phase 1 → Concepts & threat model
Phase 2 → AD + Entra ID + 9 other identity systems (protocol depth)
Phase 3 → All attack techniques + offensive tooling (attacker mindset)
Phase 4 → Event IDs + KQL + Sigma + UEBA + MDI (detection craft)
Phase 5 → IR playbooks + forensics + containment procedures (response)
Phase 6 → Defensive platforms + certifications + lab validation (professionalization)
An engineer who completes all six phases can:
- Architect detection coverage for a hybrid enterprise identity environment
- Investigate any identity-based incident from first alert to root cause
- Build, deploy, and validate KQL/Sigma detection rules for the full identity attack chain
- Operate as a standalone ITDR specialist or lead an identity security program
Part of the ITDR — Identity Threat Detection & Response handbook by Andrey Pautov.