Which credential attack pulls all password hashes from Active Directory by impersonating a domain controller?

Correct: c. DCSync abuses the MS-DRSR AD replication protocol — the attacker's tool pretends to be a DC and requests replication data, receiving all password hashes. Kerberoasting and AS-REP Roasting crack tickets offline; Pass-the-Hash reuses NTLM hashes.

Why does Singularity Identity need an agent on domain controllers specifically?

Correct: b. DCSync, Golden Ticket creation and Kerberos ticket-request anomalies all occur at the domain controller level. An agent only on endpoints never sees these events. The identity agent must be on the DC to instrument the critical AD traffic.

A service account has pre-authentication disabled in AD. Which attack does this enable?

Correct: b. When Kerberos pre-authentication is disabled, anyone can request an AS-REP for that account without proving they know the password. The encrypted response can then be cracked offline — this is AS-REP Roasting. Enabling pre-auth (the default) blocks this.

An attacker evades all behavioural detections by using a legitimately stolen AD credential. What catches them next?

Correct: c. Behavioural detections can miss a careful attacker using a real, valid credential. Deceptive credentials are the safety net — they are indistinguishable from real ones in a credential dump, so an attacker will try them. The moment they do, Singularity Identity fires an alert that is definitionally malicious.

Which AD exposure should be remediated first — an account with a Kerberoastable SPN or a stale account in a low-privilege OU?

Correct: b. Singularity Identity scores exposures by blast radius. A Kerberoastable SPN account in a privileged group with a weak password can give an attacker Domain Admin if cracked. A stale low-privilege account is a lower-priority risk. Fix the highest blast-radius path first.

What is the primary advantage of Singularity Hologram over purely signature-based identity detection?

Correct: a. Wait — the correct answer is option B: Hologram decoys catch attackers who evade every signature by using valid stolen credentials. Because no legitimate user ever interacts with a Hologram host, any contact is malicious. This is the deception layer's core value over signature-based detection alone.

SentinelOne Singularity Identity — ITDR, AD & Deception Explained

Q: What gap does ITDR fill that traditional EDR and IAM leave open?

Correct: b. EDR watches processes/files; IAM manages access rights. ITDR watches what accounts and identity systems actually do — real-time Kerberos requests, LDAP queries, replication calls — to catch credential abuse mid-flight.

Q: Which AD misconfiguration lets an attacker request service tickets for offline cracking?

Correct: c. Kerberoasting exploits service accounts that have an SPN registered and a weak password — anyone can request the service ticket and crack it offline. Unconstrained delegation is a separate risk; stale accounts and description-field passwords are different exposures.

Q: An attacker uses a compromised KRBTGT hash to forge a Kerberos ticket granting persistent Domain Admin access. Which attack is this?

Correct: d. A Golden Ticket is a forged Kerberos TGT created with the KRBTGT account hash, giving the attacker persistent and near-unrestricted access to the domain. AS-REP Roasting cracks pre-auth-disabled accounts; DCSync pulls hashes via replication; Pass-the-Hash reuses NTLM hashes.

Q: Why do deceptive credentials produce zero false positives?

Correct: a. Wait — the correct answer is option C: no legitimate user ever touches a deceptive credential. Any authentication attempt with a fake credential is definitionally malicious, making every alert a genuine true positive. Options A, B, and D describe incorrect mechanisms.

Most engineers think…

Most people think identity security means MFA and a password policy. That stops casual credential stuffing — it does almost nothing once an attacker is inside the network and querying your Active Directory.

Singularity Identity is a dedicated ITDR layer: it watches every Kerberos request, every LDAP query, every credential store access — in real time, from the same lightweight agent that runs EDR. It hardens the AD attack surface, detects privilege-escalation moves the moment they happen, and plants deceptive credentials that turn an attacker's toolkit into a tripwire. Understanding this three-layer model is what lets you answer ITDR questions confidently in any interview or SOC escalation.

① Why ITDR matters — Active Directory is the breach highway

In the majority of major breaches, the attacker's first goal after initial access is to reach Active Directory. Control one privileged AD account and you can move laterally, escalate to Domain Admin, dump credentials, and own the entire estate. The same is true of Entra ID (formerly Azure AD) for cloud and hybrid environments.

ITDR was created to fill the gap between EDR (which watches process and file behaviour) and traditional IAM (which manages who has access). ITDR watches what accounts and identity systems actually do — real-time queries, ticket requests, replication calls — and raises alerts when the pattern looks like a credential attack.

SentinelOne Singularity Identity delivers ITDR from the same agent as the Singularity EDR, so identity and endpoint telemetry are correlated in a single alert timeline. The result: an attacker doing a Kerberoast on the network while also touching a suspicious process shows up as one story, not two disconnected events.

Figure 1 — The ITDR loop — expose, detect, respond, contain

Singularity Identity runs the same four-step loop against every identity event in real time.

Quick check · Q1 of 10 · Understand

What gap does ITDR fill that traditional EDR and IAM leave open?

a) Monitoring physical access to server roomsb) Watching what identity systems actually do in real time — detecting credential-abuse attacks like DCSync and Kerberoastingc) Replacing multi-factor authenticationd) Scanning email attachments for malware

Correct: b. EDR watches processes/files; IAM manages access rights. ITDR watches what accounts and identity systems actually do — real-time Kerberos requests, LDAP queries, replication calls — to catch credential abuse mid-flight.

👉 So far: ITDR fills the gap between EDR and IAM — it watches what identity systems do in real time, catching credential abuse that MFA and traditional monitoring miss.

② Harden the surface — finding & closing AD exposures before attackers do

Singularity Identity continuously assesses your AD and Entra ID for the misconfigurations attackers hunt for. It surfaces exposures like Kerberoastable accounts (service accounts with SPNs and weak passwords), unconstrained delegation (a setting that lets any service impersonate any user), AS-REP Roastable accounts (accounts with pre-auth disabled), stale privileged accounts, and passwords stored in AD attributes such as the Description field.

Identity posture scoring

Each exposure is scored by exploitability and blast radius. The platform maps the identity attack surface against real attacker techniques (MITRE ATT&CK), so a security team can prioritise remediation: fix the three accounts that would give an attacker a direct path to Domain Admin first, rather than chasing a long tail of low-risk issues.

Hardening is not a one-time scan. Singularity Identity monitors continuously, raising a new finding the moment a mis-configuration reappears — for example when a helpdesk ticket re-enables pre-auth exemption on a service account.

Figure 2 — Three layers of Singularity Identity

Singularity Identity works in three stacked layers — harden the surface, detect attacks, deceive the attacker.

🛡️

AD Hardening

tap to flip

Singularity Identity continuously scans AD for Kerberoastable SPNs, unconstrained delegation, AS-REP roastable accounts, stale privileged users, and passwords in attributes — scored by blast radius.

🎯

DCSync Detection

tap to flip

DCSync mimics a domain controller to pull all password hashes via AD replication. Singularity Identity sees the replication call in real time and fires an immediate high-fidelity alert.

🪤

Deceptive Credentials

tap to flip

Fake credentials planted in browsers, Credential Manager, keychain and password managers. Any attacker tool that reads and uses them generates a guaranteed true-positive alert — no tuning required.

👻

Singularity Hologram

tap to flip

Network-wide decoy hosts and services. Attackers doing lateral-movement recon encounter fake servers that look real; every interaction is a confirmed true positive with full forensics.

Name all three layers, not just detection

In an interview, always separate harden (finding misconfigs like Kerberoastable SPNs and unconstrained delegation), detect (real-time Kerberos/LDAP/replication alerts), and deceive (fake credentials and Hologram decoys). Candidates who only describe detection miss two-thirds of what Singularity Identity actually does.

Quick check · Q2 of 10 · Remember

Which AD misconfiguration lets an attacker request service tickets for offline cracking?

a) Unconstrained delegationb) Stale admin accountc) Kerberoastable SPN on a weak-password service accountd) Password stored in the Description attribute

Correct: c. Kerberoasting exploits service accounts that have an SPN registered and a weak password — anyone can request the service ticket and crack it offline. Unconstrained delegation is a separate risk; stale accounts and description-field passwords are different exposures.

👉 So far: Hardening = finding Kerberoastable SPNs, unconstrained delegation, AS-REP roastable accounts, stale privileged users, and passwords in AD attributes — scored by exploitability and blast radius.

③ Detect & respond — catching credential attacks in real time

Detection in Singularity Identity is agent-based and happens on domain controllers, domain-joined endpoints, and cloud identity providers simultaneously. The most important attacks it catches in real time include:

DCSync — an attacker impersonates a domain controller to pull password hashes from AD replication. Singularity Identity sees the replication call and fires an alert immediately.
Pass-the-Hash / Pass-the-Ticket — reusing a stolen NTLM hash or Kerberos ticket to authenticate without knowing the password.
Kerberoasting — requesting service tickets for Kerberoastable SPNs and cracking them offline.
Golden Ticket / Silver Ticket — forging Kerberos tickets using a compromised KRBTGT hash to gain persistent, privileged access.
AS-REP Roasting — extracting encrypted AS-REP responses for accounts with pre-auth disabled and cracking offline.
LDAP reconnaissance — automated enumeration of AD users, groups, and OUs by attacker tooling like BloodHound.

When a detection fires, the agent can automatically respond: blocking the offending host from authenticating, isolating the endpoint, or injecting a deceptive response to mislead the attacker — without waiting for a human to act.

Figure 3 — Attacks caught by Singularity Identity

One agent on the DC and endpoints catches every major credential-abuse technique in real time.

Priya at a Mumbai financial services firm faces this

The SOC gets an alert: an account named svc_backup is requesting service tickets for dozens of SPNs in the space of 30 seconds — classic Kerberoasting tooling behaviour.

Likely cause

svc_backup has an SPN registered and its password has not been rotated in over two years, making it a prime Kerberoasting target.

Diagnosis

Singularity Identity fires a real-time Kerberoasting alert, shows the source host, the account and the list of targeted SPNs. AD posture also flags svc_backup as a long-stale, Kerberoastable account.

Singularity Console ▸ Identity Threats ▸ Kerberoasting Alert + AD Posture ▸ Exposure Detail

Fix

Isolate the source endpoint immediately via automated response, reset svc_backup to a 25+ character random password (make it uncrackable), remove the SPN if not needed, and review all other service accounts flagged Kerberoastable in the posture report.

Verify

Re-check AD posture: svc_backup no longer appears in the Kerberoastable list; no further ticket-request spikes appear in identity telemetry.

'MFA alone stops credential attacks' — it does not

MFA stops password spraying and phishing logins. It does nothing against Pass-the-Hash, DCSync, Golden Ticket or Kerberoasting — because those attacks bypass the authentication UI entirely and abuse the Kerberos or NTLM protocol directly. ITDR is the layer that catches them.

▶ Watch a Kerberoasting attack get caught and disrupted

An attacker inside the network tries to harvest service-ticket hashes. Press Play for the full detection path, then Break it to see the classic blind spot.

① SPN EnumThe attacker's tool queries AD LDAP to enumerate all accounts with SPNs — looking for weak service accounts to Kerberoast.

▼

② Ticket RequestThe tool requests Kerberos service tickets for multiple SPNs in rapid succession — the tickets contain encrypted hashes crackable offline.

▼

③ Real-time AlertSingularity Identity's agent on the domain controller sees the bulk SPN ticket requests, matches the Kerberoasting behavioural signature, and fires an alert with the source host and targeted accounts.

▼

④ Auto-RespondThe platform isolates the attacking endpoint from authenticating further and flags the targeted service accounts for immediate password rotation.

Press Play to step through the Kerberoasting detection path. Then press Break it to see the failure mode.

Quick check · Q3 of 10 · Apply

An attacker uses a compromised KRBTGT hash to forge a Kerberos ticket granting persistent Domain Admin access. Which attack is this?

a) AS-REP Roastingb) Pass-the-Hashc) DCSyncd) Golden Ticket

Correct: d. A Golden Ticket is a forged Kerberos TGT created with the KRBTGT account hash, giving the attacker persistent and near-unrestricted access to the domain. AS-REP Roasting cracks pre-auth-disabled accounts; DCSync pulls hashes via replication; Pass-the-Hash reuses NTLM hashes.

👉 So far: Singularity Identity detects DCSync, Pass-the-Hash, Kerberoasting, Golden/Silver Ticket, AS-REP Roasting and LDAP recon in real time — from one agent on DCs and endpoints.

④ Deceive & disrupt — fake credentials, decoys and the Hologram network

Deception is Singularity Identity's most distinctive capability. The platform plants deceptive credentials in the places attackers harvest them: browser credential stores, Windows Credential Manager, macOS keychain, and password managers. The moment an attacker's tool reads one of these fake entries and tries to use it, Singularity Identity fires a high-fidelity alert — no tuning, no false positives, because no legitimate user ever touches a deceptive credential.

Singularity Hologram — network-wide decoys

Singularity Hologram extends deception beyond credentials to the network layer. It projects fake hosts, services and data across the environment — so when an attacker does lateral-movement reconnaissance they encounter decoy servers that look real but lead nowhere productive. Every interaction with a Hologram decoy is a guaranteed true positive.

The combined effect: an attacker who evades initial detection by using a legitimate stolen credential will eventually touch a fake one, trigger the deception layer, and expose their full attack path — giving the SOC a complete picture for containment and forensics.

Figure 4 — Detection vs Deception — complementary, not competing

Detection catches known attack patterns; deception catches attackers who evade detection by using legitimate credentials.

Every Hologram hit is a true positive — escalate it

Unlike behavioural detections that need tuning, any interaction with a Singularity Hologram decoy or a deceptive credential is guaranteed malicious. Treat these alerts as P1 escalations — they mean an attacker is actively doing reconnaissance or lateral movement inside the network right now.

Quick check · Q4 of 10 · Analyze

Why do deceptive credentials produce zero false positives?

a) They use AI to filter alerts before they reach the SOCb) They are stored in encrypted vaults so attackers cannot find themc) No legitimate user ever authenticates with a fake credential — any use is an attackerd) They are only active during business hours

Correct: a. Wait — the correct answer is option C: no legitimate user ever touches a deceptive credential. Any authentication attempt with a fake credential is definitionally malicious, making every alert a genuine true positive. Options A, B, and D describe incorrect mechanisms.

👉 So far: Deception = fake creds in credential stores (100% true-positive) + Singularity Hologram decoy hosts across the network. Any touch by an attacker is an immediate, guaranteed alert.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: explain in plain language how a deceptive credential is different from a real credential, and why it catches attackers signature-based detection misses. Then compare with the expert version.

Expert version: A deceptive credential looks identical to a real saved password in a browser or credential store — but no legitimate user account is associated with it. No system will ever authenticate successfully with it; it exists only to be found by credential-harvesting tools. When an attacker's tool reads the credential dump and tries to use the fake entry, Singularity Identity sees the authentication attempt and fires an alert. This is why deception catches attackers who use perfectly legitimate stolen credentials and evade all behavioural signatures — they will always try every credential they find, including the fake ones.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on SentinelOne Singularity at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

ITDR: Identity Threat Detection and Response — a security discipline for detecting and responding to attacks that abuse identity systems like AD and Entra ID in real time.
DCSync: An attack where an adversary impersonates a domain controller to pull all password hashes via the AD replication protocol (MS-DRSR).
Kerberoasting: Requesting Kerberos service tickets for accounts with SPNs, then cracking the ticket's encrypted hash offline to recover the service account password.
Golden Ticket: A forged Kerberos TGT created with the KRBTGT account hash, granting persistent, near-unrestricted access to the domain.
AS-REP Roasting: Exploiting AD accounts with Kerberos pre-authentication disabled — the encrypted AS-REP response can be cracked offline without knowing the password.
Deceptive credential: A fake credential planted by Singularity Identity in browser stores, Credential Manager or keychains. Any attacker tool that uses it generates a guaranteed true-positive alert.
Singularity Hologram: SentinelOne's network-wide deception layer — fake hosts, services and data that trap attackers during lateral-movement reconnaissance.
Unconstrained delegation: An AD setting that allows a service to impersonate any user to any other service — a high-risk misconfiguration that attackers abuse for privilege escalation.
Identity attack surface: The set of AD and Entra ID misconfigurations and over-permissioned accounts that an attacker could exploit to escalate privileges or move laterally.
Pass-the-Hash: Reusing a stolen NTLM password hash to authenticate as a user without knowing the plaintext password.

📚 Sources

SentinelOne — Singularity Identity product page: real-time ITDR for Active Directory and Entra ID. sentinelone.com/platform/identity/
SentinelOne — Singularity Identity datasheet: key features, AD hardening, deception and automated response. sentinelone.com/resources/datasheets/singularity-identity/
SentinelOne — Singularity Identity for Identity Providers (Entra ID, Okta, Ping, Duo, SecureAuth). sentinelone.com/resources/datasheets/singularity-identity-for-identity-providers/
SentinelOne Blog — Exit Sandman: how SentinelOne deflects APT-level identity security risks. sentinelone.com/blog/exit-sandman-how-sentinelone-deflects-apt-level-identity-security-risks/
SentinelOne — Stop Identity-Based Attacks with Deception (webinar). sentinelone.com/resources/webinars/deception-the-secret-weapon-against-identity-based-attacks/
AlJammaz Technologies — SentinelOne Singularity Identity: Real-Time ITDR for Active Directory Protection. al-jammaz.com/knowledge-center/real-time-identity-threat-detection-response-offered-by-singularity-identity-from-sentinelone

What's next?

Solid on identity? Next, map the full Singularity XDR platform — how the EDR agent, Ranger network discovery, Cloud Workload Security and Singularity Identity feed into one correlated storyline in the Singularity console.

Next · All interview lessons → Practice on exam.techclick.in →

SentinelOne Singularity Identity — ITDR, AD Protection & Deception

🎯 By the end you will be able to

Pick where you want to start

Why ITDR matters

Harden the surface

Detect & respond

Deceive & disrupt

① Why ITDR matters — Active Directory is the breach highway

② Harden the surface — finding & closing AD exposures before attackers do

Identity posture scoring

③ Detect & respond — catching credential attacks in real time

▶ Watch a Kerberoasting attack get caught and disrupted

④ Deceive & disrupt — fake credentials, decoys and the Hologram network

Singularity Hologram — network-wide decoys

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?