Shadow Steps Understanding and Detecting User Impersonation and Lateral Movement in Active Directory

This hands-on, scenario-driven workshop delves into how attackers move stealthily through Active Directory environments using user impersonation and lateral movement techniques. Participants will explore how attackers exploit credentials and trust relationships to expand their access, and how defenders can detect, prevent, and respond to such threats. Through simulated exercises and guided labs, participants will walk through real-world attack paths such as (over)Pass-the-Hash, Kerberoasting, and token impersonation. This hands-on workshop is ideal for Penetration Testers with limited knowledge about AD internals. LEARNING OBJECTIVES: Understand the key mechanisms behind user impersonation in Active Directory. Demonstrate how attackers perform lateral movement via tools and techniques such as: Pass-the-Hash Pass-the-Ticket/Overpass-the-Hash Remote Services Abuse (SMB, WMI, RDP, WinRM)\ SOCKS PTH Kerberoasting Token Impersonation Token Creation PREREQUISITES: Basic understanding of Windows networks and Active Directory Familiarity with common cybersecurity concepts Participants should have an AWS account with appropriate payment methods associated. Participants will need an Ubuntu VM with Terraform and Empire Installed. This workshop supports content and knowledge from SEC565: Red Team Operations and Adversary Emulation. To learn more about this course, explore upcoming sessions, and access your FREE preview, visit https://www.sans.org/sec565 Watch this session unedited and access the presentation slides: https://www.sans.org/webcasts/underst... Learn more about Jean-François Maes: https://www.sans.org/profiles/jeanfra... To check out more from the Offensive Operations curriculum and discover additional free resources, please visit: https://www.sans.org/offensive-operat...