By NHI Mgmt Group Editorial TeamDomain: Breaches & IncidentsSource: SentinelOnePublished July 19, 2025

TL;DR: Identity-based attacks remain effective because intruders can steal administrative credentials, use pass-the-hash over NTLM, and move laterally with minimal engagement, according to SentinelOne’s analysis of Sandman APT. Early detection and identity-focused deception change the defender’s odds, but only if credential discovery and lateral movement are treated as identity problems, not endpoint anomalies.


At a glance

What this is: This is SentinelOne’s analysis of how Sandman APT used identity-based tactics, including credential theft and pass-the-hash, to reach targeted workstations while staying stealthy.

Why it matters: It matters because identity compromise can turn a single foothold into lateral movement and espionage, so IAM, PAM, and detection teams need controls that surface credential abuse before attackers blend in.

By the numbers:

👉 Read SentinelOne’s analysis of Sandman APT and identity-based intrusion tactics


Context

Identity-based intrusion works because attackers do not need to break every control at once. If they can steal valid credentials, abuse an authentication path such as NTLM, and stay quiet long enough to move laterally, the environment can treat them like a legitimate user or workstation.

Sandman APT is a strong example of that pattern. SentinelOne describes a campaign that used administrative credential theft, internal reconnaissance, and minimal engagement to reach targeted systems, which is a familiar failure mode in identity security even when the malware or exploit set changes.


Key questions

Q: What breaks when attackers can reuse stolen identity material on a network?

A: When stolen identity material can be replayed, the attacker no longer needs a fresh exploit for every step. A single captured credential or hash can become repeated authentication, reconnaissance, and lateral movement. That is why reusable identity artefacts are such a severe control failure: they turn one breach point into multiple opportunities for persistence and access expansion.

Q: Why do identity-based attacks create more risk than simple endpoint compromise?

A: Identity-based attacks matter because they convert a technical foothold into trusted access. Once the attacker uses valid credentials, normal security controls often interpret activity as legitimate. That increases the chance of silent lateral movement, especially in environments where privileged accounts, NTLM, and directory visibility are not tightly constrained.

Q: How do security teams know if lateral movement defences are actually working?

A: Teams should test whether one compromised identity can reach adjacent systems, SaaS apps, or production zones that it should not access. If the answer is yes, segmentation or identity policy is too permissive. Effective controls show up as blocked traversal attempts, rapid isolation, and limited blast radius during simulations.

Q: Who is accountable when stolen credentials are used for stealthy internal movement?

A: Accountability should sit with the owners of identity, endpoint, and directory controls because the failure crosses all three domains. If stolen credentials can be replayed and lateral movement is not detected, that is a governance gap, not just a security event. Frameworks such as NIST CSF and PAM governance should define clear ownership for containment and review.


Technical breakdown

Credential theft and initial foothold

Identity-based intrusion often begins after an attacker obtains administrative credentials or other valid secrets from an endpoint or directory environment. Once those credentials are available, the attacker no longer needs to exploit the perimeter in a noisy way. They can authenticate as a legitimate principal, blend into normal traffic, and begin collecting additional identity material such as passwords, group membership, or service names. In campaigns like Sandman, the first objective is not necessarily destruction. It is reliable access that looks routine enough to avoid immediate detection.

Practical implication: treat credential exposure as an entry event, not a post-compromise cleanup task.

Pass-the-hash and NTLM abuse

Pass-the-hash is an authentication abuse technique in which an attacker uses captured password hashes instead of the plaintext password. NTLM remains attractive because it can accept that hash-based authentication path in some environments, allowing the attacker to authenticate without ever knowing the original secret. This is why identity compromise can persist even when password storage looks safe on paper. If hashes or reusable identity artefacts are reachable on endpoints, the attacker can replay them across local or remote systems and keep moving with legitimate-looking authentication events.

Practical implication: remove hash-replay opportunities by reducing where reusable identity artefacts can be captured or reused.

Stealthy lateral movement and decoy engagement

Advanced intrusions often rely on minimal engagement, which means the attacker moves only when the target value justifies the risk. In practice, that makes lateral movement and workstation targeting more important than the initial access method. Cyber deception can help because decoys create believable identity and host signals that attract attacker interaction while generating telemetry. For defenders, the value is not just alerting. It is forcing the intruder to reveal behaviour during the move from one system to another, where identity abuse is often easiest to miss.

Practical implication: place deception and monitoring where lateral movement would occur, not only at the perimeter.


Threat narrative

Attacker objective: The objective was information theft and espionage through stealthy identity abuse rather than immediate ransomware or overt disruption.

  1. Entry occurred after the threat actor stole administrative credentials and used internal reconnaissance to identify usable identity data and high-value targets.
  2. Escalation followed when the actor used pass-the-hash over NTLM to authenticate as a legitimate user and move to specifically targeted workstations.
  3. Impact would have been sustained espionage and information theft through prolonged, low-noise lateral movement if the intrusion had not been interrupted.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity-based intrusion is now a detection problem before it is a malware problem. Sandman shows that attackers can achieve meaningful access using legitimate credentials, then move with minimal engagement to stay below alert thresholds. That means the security gap is not just endpoint visibility, but the organisation’s ability to recognise when authentication itself has become the attack path. Practitioners should treat identity telemetry as primary evidence, not supporting context.

Pass-the-hash remains a governance failure, not just an old technique. NTLM replay works because organisations still allow identity artefacts to exist in places where they can be captured and reused. The control gap is not theoretical: if a hash can stand in for the original credential, the environment is accepting a portable trust token that outlives user intent. Practitioners should map where reusable identity material still exists and where it can move laterally without friction.

Minimal-engagement attackers expose the identity blast radius concept. Sandman’s behaviour suggests a narrow, deliberate path from one compromised identity to a selected workstation set. That creates an identity blast radius, where the true risk is not how many systems were touched immediately, but how far one valid credential can propagate before defenders notice. Practitioners need to measure that propagation path as part of identity risk, not as a separate threat hunt exercise.

Cyber deception works because it changes the economics of identity reconnaissance. When attackers depend on quiet discovery of users, groups, hosts, and privileged relationships, decoys force them to spend attention on false assets and reveal their methods. The analytical point is broader than the product category: the best identity defences make reconnaissance expensive and movement noisy. Practitioners should view deception as a way to shrink attacker confidence in the trust fabric.

Early detection is the only realistic response window once valid credentials are stolen. After authentication succeeds, the attacker is operating inside normal trust boundaries and may look like a real user or service account. That leaves a narrow operational window for containment, especially in environments where identity and endpoint teams are still siloed. Practitioners should align detection, access, and response around credential abuse, not just signature-based intrusion events.

From our research:

What this signals

Identity telemetry needs to become a first-class detection layer. The Sandman pattern reinforces that once credentials are stolen, the attacker’s next move is often authenticated and quiet. Teams that still separate identity governance from detection and response will miss the stage where compromise becomes operational movement, especially in environments with legacy authentication paths.

Identity blast radius should become a measurable programme metric. If one administrative credential can reach multiple workstations before a control stops it, the programme has a propagation problem, not just a credential problem. That is where PAM, directory hardening, and response engineering have to converge, because the real question is how far a trusted identity can travel after compromise.

The governance implication is straightforward: controls that were designed to prevent login failures are not enough when attackers already have valid access. The next maturity step is to combine identity visibility, deception, and incident response around authenticated misuse, using resources like the Ultimate Guide to NHIs for lifecycle and trust boundary thinking.


For practitioners

  • Hunt for credential theft on endpoints and directory assets Prioritise telemetry that shows local credential discovery, AD enumeration, and suspicious access to privileged group metadata, because those are the behaviours that precede hash replay and lateral movement.
  • Reduce NTLM replay opportunity wherever possible Review where NTLM is still accepted, where password hashes can be harvested, and where legacy authentication paths create reusable identity artefacts that attackers can abuse after a foothold.
  • Place deceptive identity assets near crown-jewel systems Deploy believable decoys and lure credentials adjacent to production segments so attacker reconnaissance and lateral movement generate alerts before the intruder reaches sensitive systems.
  • Correlate endpoint, identity, and directory signals Build response logic that links administrative credential use, internal reconnaissance, and unusual workstation targeting into one investigation path instead of three separate queues.
  • Measure identity blast radius for privileged accounts Map how far a stolen admin credential can move before a control interrupts it, then use that reach as a concrete risk metric for PAM and detection investment.

Key takeaways

  • Sandman APT shows how stolen credentials and pass-the-hash can turn identity itself into the intrusion path.
  • The scale problem is not just initial access, but the ability to move laterally while looking legitimate and avoiding detection.
  • Teams need controls that surface credential abuse early, constrain replay, and make reconnaissance and movement visible.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Identity theft and reusable credential exposure sit at the core of NHI governance failures.
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article centres on credential theft followed by lateral movement.
NIST CSF 2.0DE.CM-1Continuous monitoring is central to detecting identity abuse after foothold.
NIST SP 800-53 Rev 5IA-5Authenticator management applies to hashes, passwords, and reusable credential material.
NIST Zero Trust (SP 800-207)Zero Trust assumptions are strained when valid credentials can move laterally.

Treat successful authentication as one signal, not proof of trust, and verify downstream access.


Key terms

  • Pass-the-Hash: An authentication abuse technique where an attacker uses a stolen password hash instead of the cleartext password. It matters in Windows environments because cached credentials can sometimes be enough to gain access, turning one compromised host into a broader lateral movement opportunity.
  • Identity-based threat: An identity-based threat is an attack that abuses legitimate credentials, sessions, or account permissions rather than breaking into the network first. It succeeds by looking like normal access while the attacker steals data, moves laterally, or escalates privilege.
  • Identity blast radius: Identity blast radius is the amount of access, movement, and system reach that a compromised identity can create before controls interrupt it. It is a practical risk measure for PAM and detection teams because it shows how far trust can travel after credential theft.

What's in the full article

SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:

  • How Singularity Identity conceals endpoint and AD credential data to disrupt local reconnaissance.
  • How Singularity Hologram deploys decoys that absorb pass-the-hash activity and record attacker behaviour.
  • How the deception stack maps to targeted workstation movement and alternate authentication abuse.
  • How the solution differentiates alerting on credential discovery from alerting on lateral movement attempts.

👉 The full SentinelOne post covers the credential theft sequence, pass-the-hash defence, and deception workflow in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org