Deep DiveFebruary 14, 202611 min read

Deep Dive: How 1-SEC's Network Guardian Detects Lateral Movement (PtH/DCSync)

Once an attacker is inside, they move laterally to find the crown jewels. Learn the exact mechanisms 1-SEC uses to detect Pass-the-Hash, DCSync, and Kerberoasting in real-time.

1-SEC Research

Network Security Lead

Lateral movementPass-the-HashDCSyncKerberoastingNetwork GuardianInternal securityActive Directory defense

The Invisible Phase of the Breach

Most security tools focus on the door (the firewall). But the most dangerous part of an attack is the "East-West" movement inside your network. After catching a toehold, an attacker spends days mapping your Active Directory, stealing hashes, and jumping from server to server until they find the admin credentials.

How Network Guardian Sees the Invisible

We don't look for "bad files"—we look for "bad behavior" on the wire.

Pass-the-Hash (PtH) Detection

The Network Guardian monitors SMB signatures. When we see NTLM authentication coming from a machine that doesn't own the corresponding domain account—a classic sign of a stolen hash—we flag the "Impossible Hash Interaction" instantly.

DCSync Alerting

DCSync is the "Nuke" of Active Directory attacks. It mimics a Domain Controller to request password hashes. 1-SEC knows exactly which IPs are authorized DCs. If any other machine initiates a directory replication request, we escalate it to CRITICAL at the network layer.

Continue Reading

Threat Defense

← Browse all 84 articles

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.

View on GitHub Read the Docs