What Are Identity-Based Attacks? Types and Defenses
An identity-based attack is a cyberattack that targets credentials and authentication (passwords, hashes, Kerberos tickets, and session tokens) to gain access to systems and data as a legitimate user.
In its 2026 Global Threat Report, CrowdStrike found that 82% of detections were malware-free. The attacker did not drop a payload your EDR could flag. They logged in. They used a valid username and a valid password, or a valid token, and to every control that watches for malicious files, the session looked like an employee starting their day.
That is the shape of an identity-based attack. The adversary does not break the door; they carry a key. Once inside as a legitimate user, they inherit that user's access, blend into normal traffic, and move toward whatever the account can reach. The same report puts the average eCrime breakout time, the gap between initial access and the first lateral move, at 29 minutes, with the fastest observed run at 27 seconds. Stolen identity plus speed is the core of the modern intrusion.
This guide defines identity-based attacks, walks through the eight techniques defenders see most, explains why they slip past signature-based tooling, and covers the controls that actually hold. It is written for blue teams: SOC analysts, threat hunters, and identity practitioners who are now triaging "impossible travel" and anomalous logons far more often than malware alerts.
What is an identity-based attack?
An identity-based attack is a cyberattack that targets credentials and authentication, usernames, passwords, hashes, Kerberos tickets, session cookies, and tokens, to gain access to systems and data as a legitimate user. The goal is not to exploit a software flaw. It is to become a valid account.
That framing matters because it changes what you are defending. A vulnerability gets patched. An identity does not. Every employee, service account, and machine identity is a standing credential that an attacker can phish, guess, crack, or steal. The attack surface is your entire directory, and it does not shrink when you patch.
Identity is now the dominant intrusion path, not a niche one. CrowdStrike notes that five of the top ten MITRE ATT&CK tactics are identity-based, spanning initial access, credential access, lateral movement, and privilege escalation. When the majority of intrusions are malware-free, the question for a defender shifts from "what executed" to "who logged in, and is it really them."
The eight common types of identity-based attacks
Identity attacks span the full lifecycle, from harvesting a first credential to forging the keys to the entire domain. The table maps the eight most common techniques to what the attacker targets and where in an intrusion they typically appear. The sections after it break down the ones worth understanding in depth.
| Attack | What it targets | Where it appears |
|---|---|---|
| Phishing and social engineering | The user, to hand over credentials or MFA approval | Initial access |
| Credential stuffing | Reused passwords from prior breaches | Initial access |
| Password spraying | Weak, common passwords across many accounts | Initial access |
| Pass-the-hash | The NTLM password hash, no plaintext needed | Lateral movement |
| Kerberoasting | Service account credentials via Kerberos tickets | Credential access, privilege escalation |
| Golden Ticket | The KRBTGT account hash, to forge any ticket | Domain dominance |
| Silver Ticket | A single service's secret, to forge service tickets | Targeted access, persistence |
| Adversary-in-the-middle (MITM) | The live session, to steal tokens and bypass MFA | Initial access |
Phishing and social engineering
This is the most common entry point, and it remains so because it targets the person, not the system. A phishing email or fake login page harvests the password directly from the user. Modern campaigns go further: a real-time proxy page relays the victim's credentials and one-time code to the attacker as they type, defeating basic MFA. Social engineering also shows up as vishing, the help-desk caller who talks an agent into resetting a password or registering a new MFA device. CrowdStrike's 2026 report recorded a 563% jump in fake CAPTCHA lures, a technique that walks the victim into running attacker commands. No exploit is needed when the user opens the door.
Credential stuffing and password spraying
Both are large-scale guessing attacks, and they differ in direction. Credential stuffing replays username and password pairs leaked in earlier breaches, betting that people reuse passwords across sites. Password spraying flips it: take one common password, such as a season-and-year combination, and try it against many accounts at once, staying under the lockout threshold each account enforces. Both are forms of brute force attack tuned to avoid the alarms that classic brute forcing trips. The defense is the same in spirit: stop password reuse, enforce length and complexity, and rate-limit authentication.
Pass-the-hash
In a Windows network, the system often authenticates with a hash of the password rather than the password itself. Pass-the-hash steals that NTLM hash from a compromised host's memory and replays it to authenticate as the user, no cracking required. It is a workhorse of lateral movement: an attacker who lands on one machine and dumps a local admin hash can often reuse it across every other machine that shares that account. This is why local administrator password reuse across a fleet is so dangerous, and why tools that randomize local admin passwords exist.
Kerberoasting
Kerberoasting abuses a normal feature of Kerberos. Any authenticated domain user can request a service ticket for an account that runs a service, and part of that ticket is encrypted with the service account's password hash. The attacker requests the ticket, takes it offline, and cracks it at their own pace, with no failed-logon noise in the directory. Service accounts are the prize because they are often over-privileged and set with old, weak, never-expiring passwords. The fix is long, random, managed passwords for service accounts and alerting on abnormal ticket requests.
Golden Ticket and Silver Ticket attacks
These are forgery attacks, and they represent the deep end of Active Directory compromise. A Golden Ticket attack uses the hash of the KRBTGT account, the account that signs every Kerberos ticket in the domain, to forge ticket-granting tickets for any user, including a fabricated domain administrator. With the KRBTGT hash, an attacker can mint valid-looking access to anything, anytime, which is full domain dominance. A Silver Ticket is narrower: it forges a service ticket using a single service's secret, granting access to that one service while making less noise. Reaching a Golden Ticket usually means the attacker already owns the domain, so the priority is detecting the earlier steps and rotating the KRBTGT password if compromise is suspected.
Adversary-in-the-middle and MFA bypass
When MFA blocks password theft, attackers move to stealing the session. An adversary-in-the-middle attack, the modern face of the man-in-the-middle technique, places a reverse proxy between the user and the real site. The victim authenticates for real, MFA and all, and the proxy captures the resulting session cookie. With that cookie, the attacker resumes the authenticated session without ever knowing the password or the second factor. This is why phishing-resistant MFA, which binds the credential to the legitimate domain, matters more than MFA alone.
Why identity attacks evade traditional defenses
The reason these attacks work is structural, not a gap in any one product. Three properties make them hard.
They use valid credentials, so they look legitimate. An antivirus engine and a signature-based IDS are built to spot malicious code and known-bad patterns. A correct password on a normal logon is neither. The session is authorized by definition. There is no file to quarantine and no exploit to block, which is exactly why malware-free intrusions now dominate the data.
They abuse features, not flaws. Kerberoasting, pass-the-hash, and ticket forgery are not exploits of broken software. They use authentication exactly as designed. You cannot patch your way out, because there is no bug to patch. Defense means hardening configuration and watching behavior, not waiting for a fix.
They move fast and blend in. Once an attacker holds valid access, lateral movement looks like ordinary administration. With an average breakout time under half an hour, the window to catch the intrusion before it spreads is short, and the activity you are hunting for is camouflaged as routine account use. The signal is not a bad file; it is a good account doing something it normally does not.
The consequence: detection has to shift from artifacts to behavior. You are no longer asking whether a file is malicious. You are asking whether this login, from this place, at this time, doing these things, fits the identity it claims to be.
How to defend against identity-based attacks
There is no single control that stops identity attacks, because identity is everywhere. The durable posture layers prevention, identity-aware detection, and least privilege so that one stolen credential does not become domain control. Four areas carry the weight.
Deploy phishing-resistant MFA, broadly. MFA remains the highest-leverage control, but not all MFA is equal. SMS and push codes can be phished or relayed by an adversary-in-the-middle proxy. Phishing-resistant factors, FIDO2 security keys and passkeys, bind the credential to the real domain, so a proxy site cannot reuse it. Apply MFA everywhere it fits, and prioritize the phishing-resistant kind for admins and high-value accounts.
Adopt least privilege and zero trust. Most identity attacks escalate because the first account they steal can reach too much. Enforce least privilege so a compromised user account is a small blast radius, not a launchpad. A zero trust model assumes no implicit trust and verifies every request continuously, which limits how far a valid-but-stolen credential travels. Tier your administrative accounts and keep domain admin off ordinary workstations.
Detect on identity behavior, not signatures. Because the credential is valid, the tell is the behavior around it: impossible travel, a logon from a new country, a user suddenly requesting many service tickets, a service account interactively logging on, access at an unusual hour. Behavioral analytics and identity threat detection watch for these deviations from each identity's baseline, which is the detection model that survives malware-free attacks. Feed authentication and directory logs into your SIEM and alert on the anomalies, not the absent malware.
Harden the directory and kill password reuse. Many techniques depend on weak directory hygiene. Give service accounts long, random, managed passwords to blunt Kerberoasting. Randomize and rotate local administrator passwords to break pass-the-hash reuse. Monitor for and rotate the KRBTGT hash to limit Golden Ticket exposure. Eliminate password reuse and stale, over-privileged accounts. Strong active directory security removes the conditions these attacks rely on.
No layer is sufficient alone. MFA can be bypassed, so you also need behavioral detection. Detection can be evaded, so you also need least privilege to contain the damage. The defensible stance treats identity as the perimeter and builds depth around it.
The bottom line
Identity-based attacks target credentials and authentication to operate as a legitimate user, and they are now the main way intrusions happen. With most detections malware-free and breakout times measured in minutes, the adversary's advantage is that a stolen login looks exactly like a real one. The eight common techniques, from phishing and password spraying to pass-the-hash and ticket forgery, all share that trait: they abuse valid identity rather than break software.
The defense is not exotic, but it is a shift in mindset. Treat identity as the perimeter. Deploy phishing-resistant MFA, enforce least privilege and zero trust, detect on identity behavior rather than file signatures, and harden the directory so a single stolen credential cannot become domain dominance. For a blue team, the work moved from quarantining files to verifying who is logged in, and whether it is really them.
Frequently Asked Questions
What is an identity-based attack?
An identity-based attack is a cyberattack that targets credentials and authentication, such as usernames, passwords, password hashes, Kerberos tickets, and session tokens, to gain access to systems and data as a legitimate user. The attacker does not exploit a software vulnerability; they become a valid account, which lets the malicious session blend in with normal activity.
What are the most common types of identity-based attacks?
The most common are phishing and social engineering, credential stuffing, password spraying, pass-the-hash, Kerberoasting, Golden Ticket and Silver Ticket attacks, and adversary-in-the-middle attacks that steal session tokens. They span the intrusion lifecycle, from harvesting a first credential to forging the keys that grant control of an entire Active Directory domain.
Why are identity-based attacks so hard to detect?
They use valid credentials, so they look legitimate to antivirus and signature-based tools that hunt for malicious files. Many also abuse authentication features as designed, like Kerberos, so there is no bug to patch. With most intrusions now malware-free, the only reliable signal is behavioral: a logon or access pattern that does not fit the identity claiming it.
How is an identity-based attack different from malware?
Malware relies on running malicious code that a security tool can detect, quarantine, or block. An identity-based attack uses legitimate credentials and authentication, so there is often no file or exploit to catch. CrowdStrike's 2026 report found 82% of detections were malware-free, which reflects how far attackers have shifted toward logging in over breaking in.
How do you defend against identity-based attacks?
Layer the controls. Deploy phishing-resistant MFA such as FIDO2 keys and passkeys, enforce least privilege and a zero trust model so a stolen credential reaches little, detect on identity behavior rather than signatures, and harden the directory with managed service-account passwords, local admin password rotation, and KRBTGT monitoring. No single control is enough, because MFA can be bypassed and detection can be evaded.
What is breakout time and why does it matter?
Breakout time is the gap between an attacker's initial access and their first lateral move to another system. CrowdStrike's 2026 Global Threat Report put the average at 29 minutes, with the fastest observed run at 27 seconds. It matters because it defines how little time defenders have to detect and contain an identity-based intrusion before it spreads across the network.
Frequently asked questions
<p>An identity-based attack is a cyberattack that targets credentials and authentication, such as usernames, passwords, password hashes, Kerberos tickets, and session tokens, to gain access to systems and data as a legitimate user. The attacker does not exploit a software vulnerability; they become a valid account, which lets the malicious session blend in with normal activity.</p>
<p>The most common are phishing and social engineering, credential stuffing, password spraying, pass-the-hash, Kerberoasting, Golden Ticket and Silver Ticket attacks, and adversary-in-the-middle attacks that steal session tokens. They span the intrusion lifecycle, from harvesting a first credential to forging the keys that grant control of an entire Active Directory domain.</p>
<p>They use valid credentials, so they look legitimate to antivirus and signature-based tools that hunt for malicious files. Many also abuse authentication features as designed, like Kerberos, so there is no bug to patch. With most intrusions now malware-free, the only reliable signal is behavioral: a logon or access pattern that does not fit the identity claiming it.</p>
<p>Malware relies on running malicious code that a security tool can detect, quarantine, or block. An identity-based attack uses legitimate credentials and authentication, so there is often no file or exploit to catch. CrowdStrike's 2026 report found 82% of detections were malware-free, which reflects how far attackers have shifted toward logging in over breaking in.</p>
<p>Layer the controls. Deploy phishing-resistant MFA such as FIDO2 keys and passkeys, enforce least privilege and a zero trust model so a stolen credential reaches little, detect on identity behavior rather than signatures, and harden the directory with managed service-account passwords, local admin password rotation, and KRBTGT monitoring. No single control is enough, because MFA can be bypassed and detection can be evaded.</p>
<p>Breakout time is the gap between an attacker's initial access and their first lateral move to another system. CrowdStrike's 2026 Global Threat Report put the average at 29 minutes, with the fastest observed run at 27 seconds. It matters because it defines how little time defenders have to detect and contain an identity-based intrusion before it spreads across the network.</p>