Security Operations for Identity Archives

Attack Techniques & Threat Modeling Security Operations for Identity

Tracking privilege escalation in Azure AD

December 19, 2025

Tracking Privilege Escalation in Azure AD (Microsoft Entra ID) Privilege escalation in Microsoft Entra ID (formerly Azure AD) rarely looks like a single “hacker flips a switch” moment. In real environments, it’s usually a chain of small, legitimate-looking changes—role assignments, consent grants, group membership edits, Conditional Access exceptions, or…

Using BloodHound to map privilege escalation

November 14, 2025

Using BloodHound to Map Privilege Escalation in Active Directory Privilege escalation in Active Directory (AD) rarely happens as a single “big misconfiguration.” It’s usually a chain: a little too much delegated access here, a leftover admin right there, an ACL that nobody remembers, and suddenly an attacker (or a red team) has a clean path to Domain Admin. …

Detecting Pass-the-Hash attacks

October 31, 2025

Pass-the-Hash (PtH) is a credential abuse technique where an attacker uses a captured NTLM password hash to authenticate to other systems—without ever knowing the user’s plaintext password. In an Active Directory environment, PtH is primarily a lateral movement and privilege expansion tactic: once a usable hash is obtained (often from a workstation), the attacker pivots to servers, file…

Use Protected Groups for critical OU containment

October 24, 2025

Using Protected Groups for critical OU containment “OU containment” is supposed to be your safety boundary: admins can manage what’s inside an OU, but they can’t casually reach outside it. In real Active Directory environments, that boundary often fails in subtle ways—mostly because of privileged group membership, inherited rights, and…

Detecting unmanaged accounts via group audit

September 17, 2025

Detecting unmanaged accounts via group audit: advanced comparison guide for AD, Entra, SIEM, and PAM Detecting unmanaged accounts via group audit means using group membership changes and “who got added where” telemetry to surface identities that operate outside expected governance: accounts not onboarded to PAM, not tied to HR/ITSM ownership, not covered by standard…

Top 10 audit logs for threat detection in AD

August 29, 2025

Top 10 Audit Logs for Threat Detection in Active Directory Active Directory (AD) doesn’t get “hacked” in a single step—attackers authenticate, escalate, move laterally, and persist. Your best early-warning system is a carefully chosen set of audit logs, collected consistently from the right hosts (especially domain controllers). On this page …

Analyzing DCSync attack patterns

August 29, 2025

Analyzing DCSync Attack Patterns: Detection Signals, Baselines, and Response (Active Directory) Threat Detection AD Security Incident Response Replication Abuse DCSync is one of those attacks that feels “too quiet for how catastrophic it is.” It doesn’t need malware on a domain controller, and it can look like normal…

How to build a response playbook for AD compromise

August 22, 2025

Building a Response Playbook for Active Directory Compromise (Step-by-Step) Incident Response Active Directory Security Containment & Recovery When Active Directory (AD) is compromised, the attacker isn’t just “in one server” — they often have the keys to your identity kingdom. …

How to use audit policies to detect threats early

August 22, 2025

Using Audit Policies to Detect Threats Early (Active Directory) Active Directory Security • Detection Engineering • Windows Auditing Audit policies are your “early warning radar” for identity attacks—if you enable the right subcategories, collect the logs centrally, and convert high-signal events into actionable detections. …

Tackling AI's impact on security with Zero Trust: A guide for CISOs

May 14, 2024

In this webinar, we’ll break down: The evolution of Zero Trust in the era of AI Unpacking how the AI wave has influenced the evolution of Zero Trust principles. Strategies empowering CISOs Equipping CISOs with effective strategies to bolster their defense mechanisms for 2024 and beyond. Real-time insights from Zero Trust implementations Extracting valuable takeaways from real-life Zero…

Security Operations for Identity

Tracking privilege escalation in Azure AD

Using BloodHound to map privilege escalation

Detecting Pass-the-Hash attacks

Use Protected Groups for critical OU containment

Detecting unmanaged accounts via group audit

Top 10 audit logs for threat detection in AD

Analyzing DCSync attack patterns

How to build a response playbook for AD compromise

How to use audit policies to detect threats early

Tackling AI's impact on security with Zero Trust: A guide for CISOs

Featured Posts

What is Azure Data Factory (ADF)?

How to demote a Domain Controller: A step-by-step guide

Healthcare data Breaches down almost 50 percent in the first month of 2021

Popular with Readers

Active Directory Users and Computers (ADUC) - An introduction and installation guide

Active Directory Sites

Active Directory Password Policy

Recently Added

How to fix slow DNS lookup

Legacy D-Link DSL Routers Exploited via Unauthenticated DNS Hijacking (CVE-2026-0625)

Migrating from AD FS to Azure AD SSO