ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Identity Threat Detection Logic Library(ITDLL)
A comprehensive framework for detecting identity compromise, token misuse, federation manipulation, and privilege escalation across cloud and SaaS environments.
What This Module Provides
Identity Compromise Detection
Identify credential theft, account takeover, and unauthorized access patterns across identity providers and authentication systems.
Token & Federation Abuse
Detect token misuse, SAML manipulation, OIDC exploitation, and session hijacking techniques used by sophisticated threat actors.
Cloud & SaaS Threats
Monitor privilege escalation, persistence mechanisms, lateral movement, and cross-cloud pivoting in modern environments.
ITDLL unifies detection signals across identity providers, cloud services, and authentication mechanisms into actionable, Gamma-friendly detection logic. Each signal maps to attacker behavior profiles and the Identity Attack Chain for comprehensive threat coverage.
Detection Logic Structure
Each category page delivers comprehensive detection intelligence designed for immediate implementation by security teams.
Detection Signals & Logic Sequences
Pre-built detection patterns with correlated event sequences, thresholds, and trigger conditions optimized for identity-based threats.
Attacker Behavior Profiles
TTPs mapped to real-world threat actor techniques, enabling proactive hunting and incident response across identity attack surfaces.
Identity Attack Chain Mapping
Direct alignment to IAC stages—from credential acquisition through persistence—ensuring comprehensive detection coverage.
Misconfiguration Dependencies
Critical context on weak MFA, overprivileged principals, federation gaps, and session misgovernance that enable attacks.
Threat Actor Alignment
Detection signals correlated with known APT groups and cybercriminal tactics specific to identity exploitation campaigns.
Recommended Detections
Prioritized detection rules with SIEM/XDR query examples, tuning guidance, and false positive reduction strategies.
Detection Logic Categories
Three consolidated categories covering behavioral anomalies, token abuse, and cloud correlation logic for comprehensive identity threat detection.
Category A: Behavioral & Outlier Signals
Behavioral deviations including impossible travel, anomalous access patterns, role misuse, velocity attacks, and user behavior analytics. Detects credential stuffing, password sprays, and account enumeration.
Category B: Token & Federation Abuse
Token anomalies, refresh token theft, SAML assertion manipulation, OIDC exploit detection, and federation trust abuse. Covers Golden SAML, token replay, and session hijacking techniques.
Category C: Cloud/SaaS Misuse & Correlation
Cloud identity misuse, service principal abuse, cross-tenant pivoting, API key compromise, and multi-signal correlation logic. Detects privilege escalation and persistence across AWS, Azure, GCP, and SaaS platforms.
Identity Attack Chain Alignment
Detection signals map directly to critical stages of the Identity Attack Chain, enabling targeted detection and response capabilities.
1
Stage 3: Credential Acquisition
Detect credential harvesting, phishing, password sprays, and credential stuffing attempts across authentication systems.
2
Stage 4: Authentication Abuse
Identify MFA bypass, authentication manipulation, legacy protocol exploitation, and compromised authentication flows.
3
Stage 5: Privilege Escalation
Monitor role abuse, permission drift, service principal escalation, and unauthorized privilege elevation techniques.
4
Stage 6: Token Tampering & Session Hijack
Detect token theft, refresh token abuse, session replay, cookie manipulation, and Golden SAML attacks.
5
Stage 7: Identity-Based Lateral Movement
Identify cross-account access, tenant hopping, service-to-service pivoting, and identity-driven network traversal.
6
Stage 8: Persistence via Identity
Uncover backdoor accounts, persistent tokens, federation trust manipulation, and long-term access mechanisms.
Breach Pattern & Misconfiguration Mapping
Identity Breach Patterns
Detection signals correlate with documented breach patterns from the IBP Library, enabling rapid threat classification and response.
  • BP-010 — Password Spray
  • BP-018 — SAML Trust Manipulation
  • BP-027 — Refresh Token Theft
  • BP-034 — Machine Identity Privilege Drift
  • BP-040 — Cross-Cloud Pivot → Exfiltration
Comprehensive mapping across 40+ breach patterns provides context for detection alert triage and investigation.
Misconfiguration Dependencies
Effective detection requires understanding the misconfiguration surfaces that enable identity-based attacks.
  • Weak or missing MFA enforcement
  • Long-lived refresh tokens and API keys
  • Overprivileged service principals and roles
  • Federation trust misconfigurations
  • PIM/PAM governance and lifecycle gaps
  • Session timeout and token governance issues
Detections often trigger based on exploitable misconfigurations documented in the IMU module.
Who Should Use This Module
SOC Analysts & Threat Hunters
Leverage pre-built detection logic and correlated signals to identify identity-based threats during investigations and proactive hunting operations.
Detection & Security Engineers
Implement production-ready detection rules with SIEM/XDR query templates, tuning guidance, and false positive reduction strategies for identity threats.
Cloud Security Architects
Design comprehensive identity security monitoring strategies aligned with cloud-native architectures, federation patterns, and multi-cloud environments.
Threat Intelligence Teams
Map detection signals to threat actor TTPs, campaign patterns, and emerging identity exploitation techniques for strategic threat assessment.
Red Teams & Penetration Testers
Understand defensive detection capabilities to inform realistic adversary emulation exercises focused on identity attack paths.
CISOs & Security Leaders
Assess organizational detection maturity, identify capability gaps, and prioritize investments in identity threat detection infrastructure.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation