Clankerusecase
Identity detection coverage
 ← Back to main site
Home/ Targets/ Identity

👤Identity detections

Clankerusecase tracks 8 detection use cases covering the Identity attack surface across 16 MITRE ATT&CK techniques.

Identity-platform-agnostic detections — sign-in anomalies, MFA, impossible travel.

Open Detection Library → View on the matrix
8Use cases
16Techniques
1Articles
2Kill-chain phases

Top techniques on Identity (16)

T1110.003Password Spraying2T1556Modify Authentication Process1T1199Trusted Relationship1T1078.004Cloud Accounts1T1550.001Application Access Token1T1530Data from Cloud Storage1T1213Data from Information Repositories1T1195.002Compromise Software Supply Chain1T1550.004Web Session Cookie1T1538Cloud Service Dashboard1T1539Steal Web Session Cookie1T1586.003Cloud Accounts1T1078.001Default Accounts1T1558.003Kerberoasting1T1649Steal or Forge Authentication Certificates1T1550Use Alternate Authentication Material1

Delivery (1)

Okta MFA bypass attempt Internal delivery · alerting DD

Actions on Objectives (7)

[WEEKLY] Vendor / Third-Party OAuth App or SP Sign-in From Unbaselined Egress Followed by Bulk SaaS Object Read Internal actions · alerting DSPDD Okta Multiple Failed Requests to Access Applications ESCU actions · hunting P Okta Multiple Users Failing To Authenticate From Ip ESCU actions · hunting P Okta Suspicious Use of a Session Cookie ESCU actions · hunting P Okta User Logins from Multiple Cities ESCU actions · hunting P Multiple Okta Users With Invalid Credentials From The Same IP ESCU actions · alerting P [LLM] PKINIT Kerberos TGT request via certificate authentication anomaly Bespoke actions · hunting DSPDDCS

Recent articles citing Identity-targeted detections

crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools