Shadow Steps: Understanding and Detecting User Impersonation and Lateral Movement in Active Directory

This hands-on, scenario-driven workshop delves into how attackers move stealthily through Active Directory environments using user impersonation and lateral movement techniques. Participants will explore how attackers exploit credentials and trust relationships to expand their access, and how defenders can detect, prevent, and respond to such threats.

Through simulated exercises and guided labs, participants will walk through real-world attack paths such as (over)Pass-the-Hash, Kerberoasting, and token impersonation.

Learning Objectives:

• Understand the key mechanisms behind user impersonation in Active Directory.
• Demonstrate how attackers perform lateral movement via tools and techniques such as:
• Pass-the-Hash
• Pass-the-Ticket/Overpass-the-Hash
• Remote Services Abuse (SMB, WMI, RDP, WinRM)\
• SOCKS PTH
• Kerberoasting
• Token Impersonation
• Token Creation
• This hands-on workshop is ideal for Penetration Testers with limited knowledge about AD internals.

Prerequisites:

• Basic understanding of Windows networks and Active Directory
• Familiarity with common cybersecurity concepts
• Participants should have an AWS account with appropriate payment methods associated.
• Participants will need an Ubuntu VM with Terraform and Empire Installed.

This workshop supports content and knowledge from SEC565: Red Team Operations and Adversary Emulation. To learn more about this course, explore upcoming sessions, and access your FREE demo, click here.