The Hidden Battlefield: Why Traditional EDR Leaves Your Identity Layer Exposed

Modern cybersecurity has a blind spot problem. Organisations invest heavily in Endpoint Detection and Response (EDR) solutions, believing they've fortified their defences. Yet attackers continue to move laterally through networks, escalating privileges and exfiltrating data often without triggering a single alert. The reason? EDR tools excel at monitoring endpoints, but they fundamentally cannot see what happens at the authentication layer.

The Anatomy of Modern Attack Paths

Lateral Movement: The Silent Killer

Once an attacker gains initial access to your network, their primary objective shifts to lateral movement, traversing from one system to another to find high-value targets. This movement doesn't rely on malware or exploits that EDR can detect. Instead, attackers weaponise legitimate authentication mechanisms that your systems trust implicitly.

Pass-the-Hash: Exploiting NTLM's Fatal Flaw

Pass-the-Hash (PtH) attacks exploit a fundamental weakness in NTLM authentication. Rather than cracking a password, attackers extract the password hash from memory and replay it directly to authenticate. Since NTLM accepts the hash itself as proof of identity, no password cracking is necessary.

The insidious nature of PtH is that it uses legitimate authentication protocols. From the perspective of your domain controller and endpoints, these are valid authentication requests. Your EDR sees nothing suspicious because no malicious code is executing, just standard Windows authentication traffic.

Silver Tickets and Golden Tickets: Forging Trust

Kerberos tickets represent an even more sophisticated attack vector. When attackers compromise service account credentials or extract the KRBTGT account hash, they can forge authentication tickets that grant them god-like access to your environment.

Silver Tickets are forged Ticket Granting Service (TGS) tickets that grant access to specific services. An attacker who compromises a service account's NTLM hash can create silver tickets without ever contacting the domain controller. These tickets are entirely offline forgeries that appear completely legitimate to the target service.

Golden Tickets take this further. By compromising the KRBTGT account hash, attackers can forge Ticket Granting Tickets (TGT) that grant access to any resource in the domain. These tickets can be created with arbitrary privileges, extended lifespans, and even for non-existent accounts. Golden tickets represent complete domain compromise, yet they generate minimal authentication traffic and no endpoint-based indicators.

Service Account Exploitation: The Keys to the Kingdom

Service accounts are particularly attractive targets. They often have elevated privileges, rarely have their passwords changed, and typically aren't protected by MFA. When an attacker compromises a service account, they gain persistent access with broad permissions across the environment.

These accounts frequently use weak authentication protocols like RC4 encryption for Kerberos (more on this later) or simple NTLM. Their credentials are often cached on multiple systems for automated tasks, multiplying the opportunities for extraction.

The Authentication Protocols Attackers Love

User Principal Names (UPNs) and Identity Confusion

UPNs serve as the primary user identity format in Active Directory, typically following the email address format ([email protected]). Attackers exploit UPN flexibility to create confusion and bypass security controls. Alternate UPNs can be configured that don't match the domain structure, and attackers can manipulate UPN suffixes during account compromise to impersonate users across federated environments.

Legacy Authentication: The Gift That Keeps Giving

Legacy authentication protocols remain ubiquitous despite their known vulnerabilities. Organisations maintain them for compatibility with older applications, but attackers exploit them ruthlessly.

NTLM, despite being decades old, still handles authentication for countless services. It's vulnerable to relay attacks, doesn't support MFA, and as mentioned, is susceptible to pass-the-hash attacks. Yet it persists because disabling it breaks legacy applications.

RC4 encryption for Kerberos is another legacy protocol that should have been retired years ago. It uses weaker encryption than modern alternatives like AES, making tickets easier to crack offline. More critically, RC4 is often preferred by attackers creating silver and golden tickets because it's faster to compute and widely accepted.

Living Off the Land: LOLBins and the Art of Blending In

PowerShell: The Swiss Army Knife of Lateral Movement

PowerShell isn't just a legitimate administrative tool—it's the attacker's preferred environment for post-exploitation activities. With PowerShell, attackers can:

• Extract credentials from memory using tools like Mimikatz wrapped in PowerShell scripts
• Execute remote commands across multiple systems simultaneously
• Download and execute additional payloads entirely in memory
• Enumerate domain trusts, users, and permissions
• Create and manipulate Kerberos tickets

The problem for EDR? PowerShell is supposed to be there. It's a signed Microsoft binary that administrators use constantly. While some EDR solutions monitor PowerShell activity, determined attackers can obfuscate commands, use constrained language modes, or simply blend their malicious actions among legitimate administrative tasks.

WMI: Remote Execution Without Files

Windows Management Instrumentation (WMI) provides another native mechanism for remote code execution. Attackers leverage WMI to:

• Execute commands on remote systems without creating files
• Persist through WMI event subscriptions
• Query system information and installed security products
• Move laterally without touching disk

WMI operates at a system level and generates authentication traffic that appears entirely legitimate. EDR tools struggle to differentiate between administrative WMI usage and malicious exploitation.

Remote Monitoring and Management Tools

RMM tools like TeamViewer, AnyDesk, and ConnectWise are intended for legitimate IT support but become powerful lateral movement vectors when abused. Attackers who gain initial access can:

• Install RMM tools that bypass network segmentation
• Use existing RMM infrastructure that's already trusted
• Maintain persistent remote access even after credential resets

Since these tools are often whitelisted by security products, they represent a significant blind spot.

RDP: The Highway for Lateral Movement

Remote Desktop Protocol (RDP) is perhaps the most common lateral movement technique. Once attackers have credentials, RDP allows them to interactively access remote systems with a full desktop experience. This appears as legitimate remote administration, generating network traffic that security tools expect to see.

The EDR Blind Spot: Why Endpoint Tools Miss Authentication Attacks

Here's the fundamental problem: EDR operates at the endpoint, but authentication happens between endpoints.

When an attacker uses pass-the-hash to authenticate from a compromised workstation to a file server, the authentication request flows through network protocols that EDR cannot inspect. The domain controller validates the hash, grants access, and the attacker proceeds—all while EDR monitors process execution, file access, and network connections that appear entirely normal.

Consider this attack chain:

1. Attacker compromises a user workstation through phishing
2. Extracts password hashes from LSASS memory
3. Uses PowerShell with pass-the-hash to authenticate to a domain controller
4. Dumps domain credentials and the KRBTGT hash
5. Creates a golden ticket for a domain admin account
6. Uses WMI with the golden ticket to execute commands on critical servers
7. Deploys ransomware across the environment

At each step, the attacker uses legitimate Windows functionality and valid (though stolen or forged) credentials. EDR sees PowerShell execution, WMI activity, and network connections—but these are all expected behaviours in an enterprise environment. The authentication layer, where the actual compromise occurs, remains invisible.

Why Legacy Protocols Amplify the Blind Spot

Legacy authentication protocols make this worse. RC4 Kerberos tickets are easier to crack and create offline. NTLM provides no mutual authentication, enabling relay attacks. Neither protocol supports MFA natively. Yet organisations cannot simply disable these protocols without breaking critical business applications.

This creates a persistent vulnerability that EDR cannot address. The authentication layer continues to accept weak protocols, and attackers exploit them knowing that endpoint tools won't see the attack surface.

Filling the Gap: Identity Protection Beyond the Endpoint

The solution requires visibility and control at the authentication layer itself. This is where solutions like Silverfort fundamentally change the security paradigm.

Authentication Layer Visibility

Rather than trying to infer authentication attacks from endpoint behaviours, Silverfort monitors authentication traffic directly.

This means:

• Complete visibility into every authentication attempt across Active Directory, RADIUS, ADFS, and cloud services
• Detection of authentication anomalies like pass-the-hash, silver tickets, and golden tickets at the moment they're used
• Monitoring of legacy protocols including NTLM and RC4 Kerberos that EDR cannot inspect

This authentication-layer approach catches attacks that bypass endpoint detection entirely. When an attacker uses a golden ticket, Silverfort sees the anomalous authentication pattern—perhaps a service account authenticating from an unusual location, or a user account accessing resources it has never touched before.

Risk-Based MFA Enforcement

One of the most powerful capabilities is enforcing MFA on authentication protocols that don't natively support it. This includes:

• Legacy NTLM authentication
• Kerberos (including RC4)
• RDP connections
• SMB file shares
• Service account access

By wrapping these legacy protocols with modern authentication requirements, organisations can finally protect authentication paths that have been vulnerable for decades. An attacker with a stolen hash suddenly faces an MFA challenge they cannot bypass.

Ring-Fencing and Lateral Movement Prevention

Silverfort enables granular access policies based on authentication context. You can create "ring-fences" around critical assets that require additional verification:

• Administrative accounts must authenticate from specific jump servers
• Service accounts cannot authenticate outside their designated scope
• High-value resources require step-up authentication regardless of the protocol used

This directly addresses lateral movement. Even if an attacker compromises credentials, their ability to move freely through the network is constrained by authentication-layer controls that EDR cannot enforce.

Bridging the EDR Gap

The ideal security posture combines endpoint protection with authentication protection. EDR remains critical for detecting malware, monitoring process behaviour, and responding to endpoint-based threats. But it must be complemented with authentication-layer security to address:

• Credential-based attacks that use legitimate tools
• Lateral movement through authentication abuse
• Legacy protocol exploitation
• Service account compromise
• Ticket forgery and replay attacks

The Path Forward

Modern attackers have adapted to EDR. They know endpoints are monitored, so they weaponise authentication instead. They live off the land with LOLBins, exploit legacy protocols, and forge tickets that endpoint tools never see.

The authentication layer has become the new battlefield, and organisations need visibility and control where attacks actually happen. Solutions like Silverfort represent a necessary evolution in security architecture—not replacing EDR, but filling the critical gap that endpoint-only approaches leave exposed.

Your EDR is watching the endpoints. But who's watching authentication? Until you have an answer to that question, attackers will continue to move laterally, escalate privileges, and compromise your environment using techniques that your current security stack simply cannot see.

The blind spot is real. The question is whether you'll address it before attackers exploit it.