1-SEC
Threat Defense8 min read

Detecting Lateral Movement: Pass-the-Hash, Kerberoasting, and Golden Tickets

Attackers who gain initial access need to move laterally to reach high-value targets. Here's how open source network monitoring detects Pass-the-Hash, Kerberoasting, DCSync, and other lateral movement techniques.

1S

Threat Intelligence Team

lateral movementPass-the-HashKerberoastingGolden TicketActive Directory securitynetwork securityopen source detection

Why Lateral Movement Matters

The initial compromise is rarely the target. An attacker lands on a developer laptop via a phishing email. The real target is the domain controller, the database server, or the cloud admin console. Getting there requires lateral movement — hopping from system to system, escalating privileges at each step.

Lateral movement is the phase where detection matters most. Before it, you have a compromised endpoint. After it, you have a compromised network. The difference between a minor incident and a catastrophic breach happens in the minutes and hours of lateral movement.

Techniques and Detection

Each lateral movement technique has observable network and host-level indicators.

Pass-the-Hash

Instead of cracking a password, the attacker uses the NTLM hash directly to authenticate. This produces network authentication events where the same hash is used from different workstations — a pattern that never occurs in normal operations. 1-SEC's Network Guardian monitors for hash reuse across multiple hosts and flags it immediately.

Kerberoasting

The attacker requests Kerberos service tickets for service accounts, then cracks them offline to extract plaintext passwords. The detection signal is a single user requesting an unusual number of service tickets in a short period — normal users rarely request more than a handful per session.

Golden Ticket Attacks

With access to the KRBTGT account hash, an attacker can forge Kerberos tickets with arbitrary privileges. Golden tickets have anomalous characteristics — unusually long lifetimes, privileges that don't match the user's actual role, and ticket-granting tickets issued outside normal domain controller processes.

DCSync

By impersonating a domain controller, an attacker can request password data for any account in Active Directory. DCSync generates replication traffic from a machine that isn't a domain controller — a clear indicator that's trivially detectable if you're watching for it.

The Correlation Advantage

Individual lateral movement indicators can be noisy. But when you correlate across modules, the picture becomes clear. A Kerberoasting attempt followed by authentication from an unusual workstation followed by access to a file share that user never touches — that's a lateral movement chain, and 1-SEC's event bus connects these signals across the Network Guardian, Auth Fortress, and Runtime Watcher in real time.

Continue Reading

Deep Dive

Deep Dive: How 1-SEC's Network Guardian Detects Lateral Movement (PtH/DCSync)

Once an attacker is inside, they move laterally to find the crown jewels. Learn the exact mechanisms 1-SEC uses to detect Pass-the-Hash, DCSync, and Kerberoasting in real-time.

Threat Defense

DNS Tunneling and DGA Detection: Finding Hidden Command and Control Channels

Attackers hide C2 communications in DNS queries that bypass traditional firewalls. Learn how 1-SEC detects DNS tunneling, domain generation algorithms, and covert data exfiltration over DNS.

Comparisons

Replacing Snort and Suricata: Why Modern Teams Prefer Single-Binary Security

Snort and Suricata defined the IDS/IPS era, but 2026 requires more than just signature matching. See why 1-SEC represents the next evolution of network defense.

← Browse all 84 articles

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.

View on GitHubRead the Docs