ITDLL Core Detection Logic(DL-001

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
ITDLL Core Detection Logic(DL-001 - DL-040)
The Identity Threat Detection Logic Library (ITDLL) provides comprehensive detection patterns for identity-centric attacks. This technical reference documents DL-001 through DL-040, covering reconnaissance, authentication abuse, lateral movement, token misuse, MFA bypass, and federated compromise scenarios.
Detection Pattern Categories
Reconnaissance Detection
DL-001 through DL-010 identify enumeration behavior, tenant probing, and identity discovery attempts targeting cloud identity infrastructure.
Authentication Attack Detection
DL-011 through DL-020 detect credential stuffing, password spraying, brute-force attacks, and anomalous authentication patterns across distributed infrastructure.
Token & OAuth Abuse Detection
DL-021 through DL-032 identify token replay, OAuth consent abuse, service principal compromise, and stolen credential scenarios.
Federation & Protocol Detection
DL-033 through DL-040 detect SAML forgery, federation abuse, legacy protocol exploitation, and anomalous validation patterns.
Reconnaissance Phase Detection Patterns
Early-stage detection patterns identify adversary enumeration and discovery activities targeting identity infrastructure before credential-based attacks commence.
1
DL-001: Unusual External Enumeration Behavior
Detects high-rate probing from unknown ASNs, bulk identity lookups, and external scanning against identity endpoints indicating reconnaissance activity.
2
DL-002: Repeated Enumeration Across Endpoints
Identifies multiple identity probing attempts originating from the same client or IP range, revealing systematic username pattern discovery.
3
DL-003: High-Frequency Username Validation
Detects repeated username validation attempts confirming valid identities in bulk before launching authentication attacks.
4
DL-004: Cross-Tenant Enumeration Behavior
Identifies identity probing patterns spanning multiple cloud tenants, indicating adversaries validating usernames across organizational boundaries.
5
DL-005: Unusual Tenant Metadata Discovery
Detects attempts to extract tenant ID, region configuration, and identity metadata from cloud identity endpoints.
Advanced Reconnaissance Techniques
DL-006: Identity Pattern Probing at Scale
Detects large-scale query patterns attempting to identify organizational naming conventions and infer UPN/email structure through systematic testing.
DL-007: Federation Behavior Enumeration
Identifies unnatural triggering of federation flows to probe identity provider login patterns and federation configuration.
DL-008: MFA Requirement Enumeration
Detects repeated attempts to trigger MFA versus non-MFA login differences, identifying which accounts enforce multi-factor authentication.
DL-009: Repeated Failed Identity Lookups
Identifies username guessing campaigns and UPN pattern testing through repeated failed lookup attempts against identity endpoints.
Detection Priority: Reconnaissance patterns provide the earliest opportunity for threat detection before authentication abuse occurs. Implement correlation rules linking DL-001 through DL-010 to identify multi-stage enumeration campaigns.
Credential-Based Attack Detection
Authentication-stage patterns identify password spraying, credential stuffing, and brute-force campaigns targeting identity infrastructure.
1
DL-010: High-Volume Naming Pattern Probes
Detects brute-force enumeration of email and UPN structures through systematic pattern testing.
2
DL-011: Credential Stuffing Login Patterns
Identifies wide-scale password testing campaigns using many username-password combinations across multiple accounts.
3
DL-012: Distributed Password Spray Behavior
Detects password spray attempts distributed across IP addresses, including slow-spray and distributed-spray attack patterns.
Cloud-Originated Authentication Attacks
78%
Cloud-Based Attacks
Percentage of password sprays originating from cloud provider IP ranges
3.2x
Detection Gap
Higher false negative rate for attacks from trusted cloud infrastructure
DL-013: Password Spray from Cloud Providers
Detects password spraying originating from Azure, AWS, and GCP IP ranges. Adversaries route attacks through cloud VMs to evade IP-based blocking and appear as legitimate cloud traffic.
DL-014: Automated Tool User-Agent Patterns
Identifies login attempts matching user-agent strings associated with automated spraying tools, credential harvesters, and identity attack frameworks.
DL-015: Password Spray from Anomalous Geography
Detects spray behavior originating from unusual regions or high-risk geographical locations inconsistent with normal organizational access patterns.
Sequential Authentication Attack Patterns
01
DL-016: Sequential Attempts Across Users
Detects single client attempting authentication for numerous different accounts in rapid succession.
02
DL-017: Rapid Same-Password Authentication
Identifies attacks where one password is systematically tried against many user accounts.
03
DL-018: Brute-Force Against Single Account
Detects intensive password attempt patterns targeting a single identity with credential cycling.
04
DL-019: Impossible Travel Sign-In Pattern
Identifies geographically impossible authentication sequences indicating compromised credentials being used from multiple locations.
05
DL-020: Sudden Client Switching During Auth
Detects rapid changes in client type or device fingerprint during authentication sequences, indicating adversarial tool-driven activity.
MFA Bypass and Device Anomaly Detection
Detection patterns identifying multi-factor authentication bypass attempts, device identity anomalies, and push notification abuse tactics.
DL-021: Login Without Expected Device Identity
Detects sign-ins missing expected device identity signals or compliance attributes, indicating authentication from unknown or unmanaged devices.
DL-022: Push Notification Fatigue Behavior
Identifies repeated MFA push prompts suggesting MFA spamming attacks designed to fatigue users into approving fraudulent authentication requests.
MFA Bypass Trend: Push notification fatigue attacks increased 175% in 2023, with adversaries sending dozens of approval requests until users accidentally or intentionally approve access.
Token Replay and Theft Detection Patterns
DL-023: Token Replay from Unusual Source
Detects reuse of previously issued tokens from unexpected networks, identifying stolen-cookie or stolen-PRT scenarios.
DL-024: Token Use from Unexpected Device
Identifies token usage from devices not associated with initial issuance, indicating token theft or session hijacking.
DL-025: Refresh Token from New Geography
Detects refresh token activity jumping to new geographical locations inconsistent with user travel patterns.
DL-026: Token Use After Device Reset
Identifies reuse of tokens that should be invalidated following device reset or reimage operations.
OAuth and Application Permission Abuse
Detection patterns for OAuth authorization abuse, malicious application consent, and service principal compromise scenarios.
1
DL-027: OAuth Code Replay
Detects authorization codes used multiple times, violating OAuth security specifications.
2
DL-028: High-Risk App Consent
Identifies consent events to malicious or suspicious applications requesting dangerous permissions.
3
DL-029: Unusual High-Privilege Scopes
Detects unexpected requests for dangerous OAuth or API scopes beyond application requirements.
4
DL-030: Sudden User Adoption Spike
Identifies large-scale consent events indicating malicious application spread through phishing or social engineering.
DL-031: App-Only Token from Anomalous Location
Detects application tokens being used from unexpected geographical regions inconsistent with application deployment architecture.
DL-032: Service Principal Token Replay
Identifies stolen service principal tokens reused across different infrastructure environments or cloud regions.
Federation and Token Forgery Detection
1
DL-033: Unusual Federation Token Issuance
Detects abnormal SAML or OIDC token issuance patterns inconsistent with expected identity provider behavior and federation flows.
2
DL-034: Federation Reply Address Mismatch
Identifies reply URLs inconsistent with expected federation patterns, indicating potential token interception or redirect attacks.
3
DL-035: SAML Token Forgery Indicators
Detects token claims inconsistent with identity provider signing characteristics, revealing potential SAML token forgery attempts.
4
DL-036: OAuth Token with Suspicious Claims
Identifies modified or injected claims in JWT tokens that deviate from expected claim structures and signing patterns.
Legacy Protocol and Validation Anomalies
DL-037: Sudden Email Protocol Authentication Increase
Detects spikes in IMAP, POP, SMTP, and ActiveSync authentication attempts indicating legacy protocol abuse following credential compromise.
DL-038: Impossible Legacy Protocol Use
Identifies legacy protocol authentication in environments where these protocols should be disabled through conditional access policies.
DL-039: Multiple Protocol Failures Followed by Success
Detects adversaries systematically cycling through authentication protocols until finding one that successfully grants access.
DL-040: Password Validation Not Matching Profile
Identifies login success following abnormal failure patterns, revealing credential-guessing campaigns that eventually achieve compromise.
Implementation Note: Detection patterns DL-001 through DL-040 form the foundational detection layer for identity threat detection. Deploy these patterns with appropriate thresholds, correlation rules, and threat intelligence integration for comprehensive identity security monitoring.
 
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to ITDLL