[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk6Em7AupbsiX2adwoqQrGm2SEa5TrV4ym88SaQW9syw":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"cb52ce27-82c1-49cd-ad0a-b6ebf0ec3892","How Qualys ETM Identity Detects Identity-Based Attacks Faster","how-qualys-etm-identity-detects-identity-based-attacks-faster-ea4400","Key Takeaways Identity-based attacks are among the fastest and most effective intrusion methods because valid credentials let attackers operate as trusted users. Techniques like Pass-the-Hash, Kerberoasting, Domain Controller Synchronization (DCSync), and Authentication Server Response Roasting (AS-REP Roasting) are common Active Directory (AD) attacks that exploit AD trust relationships. Qualys ETM Identity helps organizations discover risky […]","Identity-based attacks are a growing threat, leveraging stolen credentials and excessive privileges to bypass security. Techniques like Pass-the-Hash and Kerberoasting exploit Active Directory trust relationships. Qualys ETM Identity aims to improve detection and response by unifying identity posture, exploitability, and asset context into a single risk model, helping organizations discover risky identities and prioritize attack paths.","Qualys ETM Identity detects identity-based attacks faster by correlating identity and asset risk.","Table of ContentsWhy Identity-Based Attacks Are GrowingWhat Are Identity-Based Attacks?Common Types of Identity-Based AttacksWhat Is Identity Security Posture Management (ISPM)?How an ISPM Differs from Traditional Identity and Access Management (IAM) PlatformsWhy ISPM Matters for Identity Threat Detection and Response (ITDR)How Qualys ETM Identity Detects Identity RiskHow Qualys ETM Identity Helps Respond to Identity-Based AttacksFrom Identity Alerts to Measurable Risk ReductionHow ETM Identity Fits into the Qualys EnterpriseTruRiskPlatform (ETM)Frequently Asked Questions (FAQs) Key Takeaways Identity-based attacks are among the fastest and most effective intrusion methods because valid credentials let attackers operate as trusted users. Techniques like Pass-the-Hash, Kerberoasting, Domain Controller Synchronization (DCSync), and Authentication Server Response Roasting (AS-REP Roasting) are common Active Directory (AD) attacks that exploit AD trust relationships. Qualys ETM Identity helps organizations discover risky identities, correlate identity and asset risk, and prioritize attack paths based on real business impact. Detection and response improve dramatically when identity posture, exploitability, and asset context are unified into a single risk model. Qualys ETM Identity operationalizes identity risk reduction through attack path analysis, domain trust mapping, Identity TruRisk™ scoring, and automated remediation workflows. Why Identity-Based Attacks Are Growing Identity is a primary entry point because valid credentials are easier to exploit than hardened infrastructure. According to Flashpoint’s 2026 Global Threat Intelligence Report, more than 11.1 million machines were infected with infostealers in the last 12 months, resulting in 3.3 billion stolen credentials and cloud tokens. Cybercrime has shifted from “breaking in” to “logging in.” This shift is being driven by: Credential exposure: Phishing and infostealers have made stolen credentials widely available. Privilege sprawl: Access accumulates as employees change roles, projects end, and admin rights are rarely revoked. Inconsistent multi-factor authentication (MFA) coverage: MFA is rarely enforced consistently across applications, directories, and legacy systems. Directory misconfigurations: AD and Microsoft Entra ID environments accumulate stale accounts, weak group policies, and overly permissive trust relationships over time. Shadow admins: Nested group memberships and indirect entitlements grant effective admin rights that traditional access reviews fail to identify. Unmanaged service accounts and machine identities. According to the Cloud Security Alliance’s 2026 whitepaper, The Non-Human Identity Governance Vacuum, machine identities outnumber human ones by an average of 45:1 across enterprises and 144:1 in cloud-native environments, yet operate with elevated privileges and less oversight. What Are Identity-Based Attacks? Identity-based attacks abuse legitimate human or machine identities instead of exploiting software vulnerabilities. This includes: Compromising user accounts via phishing, password reuse, or session hijacking Abusing admin accounts with excessive or poorly governed privileges Exploiting service accounts and Application Programming Interface (API) credentials that are rarely rotated or reviewed Stealing authentication tokens to bypass login controls Common Types of Identity-Based Attacks Security teams don’t need to understand every identity attack technique. They need visibility into the attack patterns and techniques most commonly used in breaches, such as: Credential Theft and Account Takeover Credential theft is the most common entry point, via phishing, password reuse, infostealer malware, token theft, or session hijacking. Pass-the-Hash (PtH) allows attackers to reuse stolen NT LAN Manager (NTLM) hashes to authenticate without cracking passwords. Qualys ETM Identity helps identify the conditions that increase PtH risk, such as legacy NTLM authentication, weak or misconfigured authentication settings, cached credentials, excessive administrative privileges, and exposed lateral movement paths, by correlating identity and access data to reveal how a compromised hash can be used to move across systems. Privilege Escalation Privilege escalation turns a low-value account into a high-value one by exploiting excessive permissions, nested group memberships, or forgotten admin roles. Misconfigured group relationships can unintentionally grant Domain Admin–level access. Attackers use DCSync after obtaining elevated privileges, replicating password hashes and Kerberos secrets directly from a domain controller. DCSync exploits AD replication permissions to extract credential data, bypassing traditional detection. Qualys ETM Identity maps DCSync exposure in its identity graphs, surfacing identities with replication rights so risky relationships can be remediated before they are exploited. Lateral Movement Through Identity Paths Once an identity is compromised, attackers use trust relationships to pivot across resources and privileged accounts. Pass-the-Ticket (PtT) is a common technique used for lateral movement. By stealing valid Kerberos tickets (Ticket Granting Tickets (TGTs) or Ticket Granting Service tickets (TGSs) from memory, attackers can impersonate users across trusted systems without reauthenticating. Qualys ETM Identity visualizes trust relationships and uses Identity TruRisk™ scoring to quantify risk based on an identity’s criticality and the severity of its associated misconfigurations. Misconfigured AD and Entra ID AD and Microsoft Entra ID underpin enterprise identity and access management. Stale accounts, weak group policies, excessive standing permissions, and insecure identity configurations create access paths that go unnoticed until they are exploited. AS-REP Roasting demonstrates how a minor AD misconfiguration can enable AD attacks and become a serious exposure. When Kerberos pre-authentication is disabled for an AD account, attackers can request encrypted authentication data and attempt offline credential cracking without needing valid authentication. Qualys ETM Identity identifies accounts with disabled Kerberos pre-authentication and other risky identity configurations, helping teams remediate exposures before attackers can exploit them. Qualys WebinarLearn how AD, Entra ID, and Okta environments expose hidden privilege relationships and how to prioritize identity risk using attack path analysis and TruRisk™-based scoring.Watch Now What Is Identity Security Posture Management (ISPM)? ISPM continuously discovers identities, evaluates risk exposure, map attack paths, supports AD posture management, and prioritizes remediation based on business impact. How an ISPM Differs from Traditional Identity and Access Management (IAM) Platforms IAM determines who gets access and under what conditions. ISPM evaluates risk from access, including excessive privileges, misconfigurations, posture drift, and exploitable attack paths. Traditional IAM ISPM Primary Question Who can log in, and to what? How exposed are we because of who can log in? Focus Authentication, provisioning, access policies Continuous risk, posture, and exploitability Assessment Style Point-in-time provisioning and periodic reviews Continuous discovery and real-time risk scoring Business Context Limited to access policy Correlates identity risk with asset criticality and exploitability Outcome Access is granted correctly Risk from that access is measured and reduced Why ISPM Matters for Identity Threat Detection and Response (ITDR) ISPM provides the context needed for effective identity threat detection and response. An alert has limited value without understanding the user’s privileges, attack paths, and potential blast radius. Existing tools (IAM, Identity Governance and Administration (IGA), Privileged Access Management (PAM), ITDR) manage access or detect anomalies, but lack risk correlat","https:\u002F\u002Fblog.qualys.com\u002Fproduct-tech\u002F2026\u002F07\u002F14\u002Fhow-qualys-etm-identity-detects-responds-to-identity-based-attacks","https:\u002F\u002Fik.imagekit.io\u002Fqualys\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002FBlog-Images-1080x1080.Cloud_.Agent_.2025.Updates-5-3-1.png","2026-07-14T18:00:00+00:00","2026-07-14T18:00:23.675096+00:00",7,[18,21,24,27,29,31],{"name":19,"type":20},"ETM Identity","product",{"name":22,"type":23},"Qualys","vendor",{"name":25,"type":26},"Active Directory","technology",{"name":28,"type":26},"Microsoft Entra ID",{"name":30,"type":26},"Identity and Access Management",{"name":32,"type":26},"Identity Security Posture Management","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":33,"icon":35,"name":36,"slug":37},null,"Identity & Access","identity-access",[39,44,46,51],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",{"category":45},{"id":33,"icon":35,"name":36,"slug":37},{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,60,64,67],{"type":50,"value":58,"context":59},"infostealers","Used to steal credentials and cloud tokens.",{"type":61,"value":62,"context":63},"mitre_attack","T1078","Valid Accounts: Default Accounts (used in identity-based attacks)",{"type":61,"value":65,"context":66},"T1558","Steal or Forge Credentials (includes Pass-the-Hash, Kerberoasting)",{"type":61,"value":68,"context":69},"T1003","OS Credential Dumping (includes DCSync)"]