Detecting Lateral Movement Through Identity: A Practical Guide to Spotting Kerberoasting, Pass-the-Ticket, and OAuth Token Abuse

Identity Threat Detection and Response (ITDR) is reshaping how defenders think about lateral movement. Instead of exploiting endpoints or networks, attackers now move through identities, stealing service tickets, replaying tokens, or hijacking OAuth credentials to pivot silently.

This technical deep dive outlines exactly how engineers and architects can detect three critical identity-based lateral movement techniques across Active Directory, Azure AD, and cloud identity providers:

• Kerberoasting
  
• Pass-the-Ticket
  
• OAuth Token Abuse
  

1. Detecting Kerberoasting in Active Directory

What happens during Kerberoasting?

Attackers enumerate service principal names (SPNs) in Active Directory, request Kerberos TGS tickets for services, and attempt offline password cracking against the ticket’s encrypted part.

If successful, they recover service account credentials and escalate privileges.

Kerberoasting most commonly targets RC4-HMAC encrypted tickets, but cracking attacks against AES-encrypted tickets are also possible, though slower and less reliable.

Key indicators to monitor

Logs to collect:

• Windows Event ID 4769 (A Kerberos service ticket was requested)
  
• Event ID 4771 (Kerberos pre-authentication failed)
  
• LDAP queries against SPN attributes (optional deeper hunting)
  

Critical fields in Event ID 4769:

• Service Name
  
• Ticket Encryption Type
  
• Client Address
  
• Account Name (requestor)
  

Detection patterns:

• High volume of TGS-REQs targeting multiple SPNs from a single host
  
• TGS-REQs from unusual sources (e.g., an end-user device, not a service server)
  
• Weak encryption types requested (RC4-HMAC), although AES monitoring is also recommended
  

Example SIEM Query (KQL for Sentinel):

Put in a code box

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4 encryption
| summarize RequestCount = count() by Account, ClientAddress,
bin(TimeGenerated, 5m)
| where RequestCount > 10

2. Detecting Pass-the-Ticket Attacks

What happens during Pass-the-Ticket?

An attacker steals a valid Kerberos ticket (TGT or TGS) from a compromised machine and reuses it elsewhere to access resources.

Since no password is entered, traditional login event monitoring often misses it.

Key indicators to monitor

Logs to collect:

• Windows Event ID 4769 (TGS requested)
  
• Windows Event ID 4624 (Successful logon)
  

Critical fields:

• Client Address
  
• Logon Process
  
• Authentication Package
  
• Target Server Name
  

Detection patterns:

• Kerberos tickets reused from different IP addresses than the one where issued
  
• New Kerberos sessions without corresponding interactive logon (e.g., no Event ID 4624 Type 2/10)
  
• Logon Process field showing “Kerberos” but from unexpected systems
  

Example SIEM Query (KQL for Sentinel):

Put in a code box

SecurityEvent
| where EventID == 4624
| where AuthenticationPackageName == "Kerberos"
| project TimeGenerated, TargetUserName, ClientAddress, LogonType
| summarize distinct_hosts = dcount(ClientAddress) by TargetUserName, bin(TimeGenerated, 1h)
| where distinct_hosts > 3

3. Detecting OAuth Token Abuse in Cloud Environments

What happens during OAuth Token Abuse?

Attackers phish, steal, or compromise access tokens and refresh tokens used by cloud apps or users. These tokens often have broad scopes, allowing attackers to access APIs or services undetected.

OAuth token abuse is a growing blind spot because many detection setups focus only on initial sign-in, not ongoing token use.

Critically, refresh tokens allow attackers to generate new access tokens without user interaction, often slipping past traditional sign-in monitoring.

Key indicators to monitor

Logs to collect:

• Azure AD SignInLogs
  
• Azure AD AuditLogs
  
• Google Workspace OAuth logs
  
• AWS CloudTrail logs (for STS tokens and assumed roles)
  

Critical fields (Azure AD example):

• ClientAppUsed
  
• ResourceDisplayName
  
• AuthenticationRequirement
  
• ConditionalAccessStatus
  
• RiskLevelDuringSignIn
  
• TokenIssuerType (to spot unusual refresh token use)
  

Detection patterns:

• Sign-ins using access tokens from new geographies or devices
  
• Refresh tokens reused from unfamiliar IP addresses or geolocations
  
• New OAuth applications consented by users or admins unexpectedly
  

Example SIEM Query (KQL for Azure AD OAuth abuse):

Put in a code box
‍SigninLogs
| where ClientAppUsed == "Mobile Apps and Desktop Clients"
| where ConditionalAccessStatus != "success"
| summarize CountByIP = count() by IPAddress, UserPrincipalName, bin(TimeGenerated, 1h)
| where CountByIP > 5

Hardening Best Practices to Reduce Risk

Detection is critical, but proactive hardening dramatically reduces the likelihood of successful identity-based lateral movement.

For Active Directory:

• Disable RC4 encryption where possible. Force AES encryption for Kerberos tickets.
  
• Reduce Kerberos ticket lifetime (TGT) and service ticket lifetime (TGS).
  
• Limit SPN assignments to only necessary service accounts.
  
• Regularly rotate service account passwords, especially for high-privilege accounts.
  

For Azure AD and Cloud Environments:

• Enforce Conditional Access requiring device compliance and user risk assessments.
  
• Review and revoke unused OAuth consents regularly.
  
• Limit OAuth app permissions to least privilege.
  
• Enable token protection policies to bind tokens to device identities where supported.
  
• Monitor refresh token usage anomalies alongside access token use.
  

Across environments:

• Centralise identity telemetry into your SIEM or XDR for full visibility.
  
• Regularly hunt for abnormal authentication flows, not just malware indicators.
  
• Incorporate ITDR-specific detections into your SOC playbooks.
  

The goal is not just to detect lateral movement, but to make it far more difficult for attackers to achieve in the first place.

Conclusion

Identity-based lateral movement techniques such as Kerberoasting, Pass-the-Ticket, and OAuth token abuse are no longer rare; they have become common tactics for attackers seeking to move quietly and escalate privileges.

Traditional endpoint or network-based detections are no longer enough. Engineers and architects must actively build identity-specific detections, telemetry integrations, and correlation logic into their detection pipelines.

By doing so, organisations can reduce attacker dwell time, protect critical resources, and regain visibility in an identity-first threat landscape.

‍