Authentication systems are built to answer one question: is this credential valid? Pass-the-hash and pass-the-ticket attacks answer that question correctly every time. The attacker is not guessing or forging. They are presenting material the system considers legitimate. This is why credential-based lateral movement has persisted as a detection blind spot for over a decade, and why 74% of breaches now involve compromised identities according to the Verizon DBIR 2025.
This post examines that blind spot. It covers what traditional detection is actually measuring, where it breaks down against these techniques, and why the structural signature of lateral movement in network behavioral timelines stays visible even when authentication events look clean.
What pass-the-hash and pass-the-ticket actually do
In pass-the-hash (PtH), the attacker never obtains a plaintext password. They extract the NTLM (NT LAN Manager) hash from LSASS (Local Security Authority Subsystem Service) process memory or from NTDS.dit on a compromised domain controller, then inject that hash into an authentication request. The Windows authentication protocol accepts it. The system cannot tell the difference from a normal login.
Pass-the-ticket (PtT) works against Kerberos. The attacker extracts a Ticket Granting Ticket (TGT) or service ticket from memory on a compromised host and injects it into their session. The Key Distribution Center (KDC) issued that ticket for a legitimate user. The attacker is simply presenting it. In the Golden Ticket variant, an attacker who has obtained the KRBTGT (Kerberos Ticket Granting Ticket service account) hash can generate TGTs for any user in the domain, valid for up to 10 years by default.
Neither technique requires the original password, a new account, a brute-force attempt, or any failed login events. The event log shows a successful login. The source account is real, with real permissions. Nothing in the authentication record is false.
Where traditional detection logic fails
SIEM-based detection typically relies on a small set of heuristics. Failed login thresholds catch brute force but not credential reuse. Impossible travel rules flag geographic anomalies, but an attacker using stolen credentials from inside the network has no travel anomaly. Logon type and process name correlations (Event ID 4624, logon type 9, process "seclogo") can hint at PtH activity. But they require specific logging configurations, produce false positives from legitimate admin tools and scheduled tasks, and are frequently tuned out of production alerting due to noise.
UEBA-based approaches build behavioral baselines per user. If an attacker moves only during business hours, accesses systems that account has touched before, and stays within normal access volumes, the behavioral score will not deviate. Patient adversaries take exactly this approach: study the environment, identify which accounts access which systems, and match that pattern.
The deeper problem is structural. All of these approaches measure the authentication event, not the network activity. They ask: "Does this login look unusual?" They do not ask: "Does the pattern of connections between these endpoints look like lateral movement?" These are different questions. Only the second one is hard for an attacker to answer cleanly.
The structural problem an attacker cannot hide
When an attacker uses stolen credentials to move through a network, the flow record has a structure. It is not the structure of a service account doing routine synchronization. It is not a backup job, a heartbeat, or a developer hitting a test endpoint. Credential-based lateral movement produces a behavioral timeline that reflects the logic of the attack: new endpoint pairings, connections to administrative interfaces on short-lived flows, and multiple new destinations in a short window.
Attackers can make each individual flow appear normal. They can use standard protocols: SMB, WinRM, RDP. They can respect rate limits. They can avoid the noisier tools. What they cannot easily replicate is the structural path required to achieve lateral movement. Expanding access from a compromised foothold forces interactions with systems in an order and pattern that differs from how those systems are typically used operationally. The structural signature of "I am trying to reach systems I have not been authorized to reach" is encoded in the relationship between flows within the behavioral timeline, not in any single flow's content or authentication result.
Normal service account behavioral timeline:
[host-A -> svc-db-01 : periodic, consistent interval, symmetric bytes]
[host-A -> svc-db-01 : ...]
[host-A -> svc-db-01 : ...]
Lateral movement behavioral timeline (same account, same protocols):
[host-A -> dc-01 : short-lived, SMB, low bytes]
[host-A -> host-C : WinRM, admin interface, new pairing]
[host-A -> host-D : SMB, admin share, new pairing]
[host-A -> dc-01 : Kerberos service ticket request]
[host-A -> host-E : short-lived, RDP probe]
The individual flows above use valid protocols and legitimate credentials. None would trigger a signature. But the behavioral timeline as a unit has a structure that does not match anything the service account does during normal operations.
How intent-based detection addresses this
DeepTempo's LogLM foundation model learns what normal operational behavioral timelines look like. The classifier layer then interprets the embeddings LogLM produces to determine what each behavioral timeline is trying to accomplish. Two questions are in play: "does this behavioral timeline deviate from learned operational patterns?" and "does its structure match what lateral movement, credential abuse, or discovery activity looks like?" The foundation model handles the first. The classifier handles the second.
An attacker who moves carefully to stay within a UEBA baseline will still produce a behavioral timeline whose structure has nothing in common with that account's normal operational patterns. The classifier does not need to know that this account usually connects to three systems. It needs to recognize that the service mix, flow durations, endpoint pairings, and sequencing match what lateral movement looks like structurally, regardless of the credentials used.
Each behavioral timeline is evaluated as a self-contained sequence. The model does not compare an account to its historical baselines. Instead, it evaluates whether the structure of observed activity matches behavioral priors learned during pretraining across large-scale telemetry. No environment-specific accumulation period is required. The system is not learning what this account normally does. It is recognizing a sequence of otherwise valid actions from a structure that is characteristic of adversarial exploration.
There is no profile for "user A." An attacker using a freshly compromised service account with no behavioral history is just as detectable as one using a well-established admin account. The structural characteristics of the network activity carry the signal.
For a deeper look at how identity blending and protocol abuse enable this class of evasion, the how attackers stay invisible post covers the mechanics in detail. The living off the land post covers legitimate tool abuse, which frequently co-occurs with credential-based lateral movement. The why intent-based detection is the next step in cybersecurity post covers the architectural rationale for moving away from deviation scoring.
The detection surface that remains
The detection surface for credential-based lateral movement does not live in the authentication record. It lives in the network behavioral timeline. When an attacker uses pass-the-hash to access a file server, the domain controller shows a successful login. The SIEM will not fire. The UEBA score will not move if the account has touched that server before.
The behavioral timeline between the attacker's pivot point and the destination carries a structural signature consistent with how lateral movement looks across environments. That signature is present regardless of whether the credential is valid. Lateral movement requires network activity that is structurally distinct from operational traffic. No amount of credential legitimacy changes what that looks like at the flow level.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
