Credential Abuse, Privilege Escalation & Trust Exploitation
Identity is the primary attack surface for modern enterprise intrusions. Our Identity Threat Research team studies how adversaries compromise, abuse, and persist through identity systems — from credential theft and OAuth exploitation to Entra ID attack paths and machine identity abuse. Every finding becomes a detection in Nexus.
Identity Research Focus Areas
Every major enterprise breach in the last five years has involved identity. Not because perimeter defenses failed — but because attackers have completely shifted to targeting credentials, tokens, and trust relationships as their primary intrusion vector.
Modern credential theft has moved far beyond phishing. Our researchers study adversarial Adversary-in-the-Middle (AiTM) phishing frameworks, MFA bypass techniques, browser credential store exploitation, memory-resident credential theft, and pass-the-token attack chains that bypass traditional MFA entirely. Every technique we document gets a corresponding detection in Atlas and Overwatch AI.
Enterprise OAuth ecosystems are a rich target. We research token theft via malicious OAuth applications, consent phishing campaigns, token persistence through refresh token abuse, cross-tenant token replay, and the use of legitimate OAuth grants to maintain long-term, credential-free persistence. TrustAnchor’s session trust monitoring is directly informed by this research.
We maintain deep, current research into attack techniques targeting Microsoft’s identity infrastructure — including Kerberoasting, AS-REP roasting, DCSync, Golden/Silver ticket attacks, Entra ID conditional access bypass, PRT theft, Primary Refresh Token abuse, and the novel cross-boundary techniques that move between on-premises AD and cloud Entra ID environments.
Machine identities — service accounts, managed identities, workload identities, API keys, and certificates — are the fastest-growing and least-governed attack surface in the enterprise. We research how attackers discover, abuse, and persist through machine identity systems, and how defenders can model and continuously monitor this attack surface using Atlas.
We build and continuously update a comprehensive library of privilege escalation chains across cloud, SaaS, and on-premises environments — documenting every combination of misconfiguration, over-permissioning, and trust relationship that allows an attacker to move from low-privilege initial access to domain or tenant administrator. Atlas’s attack path analysis is powered by this research.
A subset of the identity attack techniques our team actively tracks, researches, and maintains detections for. Full technique library available to Nexus platform customers.
Adversary-in-the-Middle frameworks that harvest session tokens in real time during authentication, bypassing MFA by replaying valid tokens to target services before they expire.
Malicious OAuth application registration techniques that trick users into granting persistent, credential-free access to enterprise data — surviving password resets and MFA changes.
Primary Refresh Token extraction from browser processes using code injection techniques, enabling attackers to obtain long-lived authentication artifacts without triggering standard MFA.
Exploitation of B2B federation trust relationships between Entra ID tenants to move laterally from a compromised partner organization into a target enterprise without valid target credentials.
Techniques for escalating privileges using Azure managed identities — including IMDS token theft, role assignment abuse, and chaining managed identity access to sensitive resource operations.
Targeted password spraying against service accounts using legacy authentication protocols that bypass conditional access policies and generate minimal authentication logs.
A practical guide for building detections against Adversary-in-the-Middle phishing campaigns using Entra ID sign-in logs, conditional access data, and behavioral anomaly analysis.
Analysis of 180 incident response cases where attackers maintained access after password resets through OAuth application grants — with detection and remediation guidance.
Research into machine identity accumulation patterns across 50 enterprise environments — documenting how service account sprawl creates the attack surface that modern attackers prefer.
Technical documentation of 15 underdetected Entra ID attack paths — from conditional access bypass to cross-tenant privilege escalation — with Atlas detection mapping for each.
Technical advisory covering PRT theft techniques, behavioral indicators, Nexus detection coverage, Vanguard response playbooks, and TrustAnchor recovery procedures.
Comprehensive analysis of identity-based attack patterns, adversary tooling evolution, and defensive capability gaps across 250+ enterprise environments.
Identity research feeds directly into Atlas’s attack path engine, TrustAnchor’s identity security capabilities, and Overwatch AI’s identity threat detection logic.
Our Identity Threat Research team can brief your security team on current techniques targeting your specific identity infrastructure — and how Nexus detects and responds to each one.
