Pass-the-Hash detection with Sysmon — comprehensive monitoring and response guide

Pass-the-Hash Detection with Sysmon: Event Guide (2026)

Pass-the-Hash attacks represent the most critical lateral movement vector in Windows environments, turning a single compromised endpoint into domain-wide catastrophe within hours. An attacker dumps NTLM hashes from memory using tools like Mimikatz, then authenticates to remote systems without cracking passwords — bypassing detection mechanisms focused on failed login attempts. Sysmon Event ID 10 provides the definitive detection capability for credential dumping by monitoring process memory access against the Local Security Authority Subsystem Service (LSASS). This guide delivers comprehensive Pass-the-Hash detection with Sysmon: configuration for memory access monitoring, analysis patterns for LSASS interactions, SIEM integration strategies, and incident response workflows that stop lateral movement before attackers achieve domain persistence. ...

June 8, 2026 · 14 min · 2833 words · CyberSecurity Elite Team
ADFS security hardening guide — token signing, claim rules, Golden SAML defence

ADFS Security Hardening: Token Signing, Claim Rules, Golden SAML Defence (2026)

If your environment still runs Active Directory Federation Services (ADFS) — and most large enterprises that adopted federation between 2015 and 2020 still do — you are sitting on the single highest-value target in your identity stack. An attacker who extracts the ADFS token-signing certificate can mint SAML tokens for any user, including domain admins, with no further AD interaction and no Kerberos or NTLM tickets to detect. That class of attack is Golden SAML, and it’s exactly what hit SolarWinds-era victims in 2020. This is the practical ADFS security hardening guide for 2026: rotating signing certificates, auditing claim rules, enforcing Extranet Lockout, blocking the mimikatz / ADFSDump extraction path, and the migration path to Microsoft Entra ID for the eventual decommission. ...

May 24, 2026 · 20 min · 4216 words · CyberSecurity Elite Team
Kerberoasting deep dive

Active Directory Attacks: Kerberoasting Deep Dive

Kerberoasting remains the highest-ROI Active Directory attack: any authenticated domain user can request a service ticket for any account with a Service Principal Name (SPN), and crack that ticket offline. No special privileges. No exploits. Just Kerberos working as designed. ...

April 20, 2026 · 2 min · 410 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap