TL;DR: Identity-based attacks remain effective because intruders can steal administrative credentials, use pass-the-hash over NTLM, and move laterally with minimal engagement, according to SentinelOne’s analysis of Sandman APT. Early detection and identity-focused deception change the defender’s odds, but only if credential discovery and lateral movement are treated as identity problems, not endpoint anomalies.
NHIMG editorial — based on content published by SentinelOne: identity-based TTPs used by Sandman APT
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed, 26% suspected.
- 17 minutes, redentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when attackers can reuse stolen identity material on a network?
A: When stolen identity material can be replayed, the attacker no longer needs a fresh exploit for every step.
Q: Why do identity-based attacks create more risk than simple endpoint compromise?
A: Identity-based attacks matter because they convert a technical foothold into trusted access.
Q: How do security teams know if lateral movement defences are actually working?
A: Teams should test whether one compromised identity can reach adjacent systems, SaaS apps, or production zones that it should not access.
Practitioner guidance
- Hunt for credential theft on endpoints and directory assets Prioritise telemetry that shows local credential discovery, AD enumeration, and suspicious access to privileged group metadata, because those are the behaviours that precede hash replay and lateral movement.
- Reduce NTLM replay opportunity wherever possible Review where NTLM is still accepted, where password hashes can be harvested, and where legacy authentication paths create reusable identity artefacts that attackers can abuse after a foothold.
- Place deceptive identity assets near crown-jewel systems Deploy believable decoys and lure credentials adjacent to production segments so attacker reconnaissance and lateral movement generate alerts before the intruder reaches sensitive systems.
What's in the full article
SentinelOne's full analysis covers the operational detail this post intentionally leaves for the source:
- How Singularity Identity conceals endpoint and AD credential data to disrupt local reconnaissance.
- How Singularity Hologram deploys decoys that absorb pass-the-hash activity and record attacker behaviour.
- How the deception stack maps to targeted workstation movement and alternate authentication abuse.
- How the solution differentiates alerting on credential discovery from alerting on lateral movement attempts.
👉 Read SentinelOne’s analysis of Sandman APT and identity-based intrusion tactics →
Identity-based intrusion chains: are your controls catching stealthy access?
Explore further
Identity-based intrusion is now a detection problem before it is a malware problem. Sandman shows that attackers can achieve meaningful access using legitimate credentials, then move with minimal engagement to stay below alert thresholds. That means the security gap is not just endpoint visibility, but the organisation’s ability to recognise when authentication itself has become the attack path. Practitioners should treat identity telemetry as primary evidence, not supporting context.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when stolen credentials are used for stealthy internal movement?
A: Accountability should sit with the owners of identity, endpoint, and directory controls because the failure crosses all three domains. If stolen credentials can be replayed and lateral movement is not detected, that is a governance gap, not just a security event. Frameworks such as NIST CSF and PAM governance should define clear ownership for containment and review.
👉 Read our full editorial: Identity-based intrusion chains expose gaps in early detection