SANS Workshop: Shadow Steps
Understanding and Detecting User Impersonation and Lateral Movement in Active Directoryβ
Huge shout out to @ladhaAleem converting the "SANS Workshop: Shadow Steps: Understanding and Detecting User Impersonation and Lateral Movement in Active Directory" workshop created by Jean-François Maes to an ansible playbook and making it work with Ludus as well!
Description from SANS Workshop: Shadow Steps: Understanding and Detecting User Impersonation and Lateral Movement in Active Directoryβ
This hands-on, scenario-driven workshop delves into how attackers move stealthily through Active Directory environments using user impersonation and lateral movement techniques. Participants will explore how attackers exploit credentials and trust relationships to expand their access, and how defenders can detect, prevent, and respond to such threats.
Through simulated exercises and guided labs, participants will walk through real-world attack paths such as (over)Pass-the-Hash, Kerberoasting, and token impersonation.
Learning Objectives:
- Understand the key mechanisms behind user impersonation in Active Directory.
- Demonstrate how attackers perform lateral movement via tools and techniques such as:
- Pass-the-Hash
- Pass-the-Ticket/Overpass-the-Hash
- Remote Services Abuse (SMB, WMI, RDP, WinRM)\
- SOCKS PTH
- Kerberoasting
- Token Impersonation
- Token Creation
- This hands-on workshop is ideal for Penetration Testers with limited knowledge about AD internals.
Have fun !
Access the workbook here:β
Deploymentβ
1. Add rolesβ
Add the badsectorlabs.ludus_elastic_container and badsectorlabs.ludus_elastic_agent roles to your Ludus server
ludus ansible roles add badsectorlabs.ludus_elastic_container
ludus ansible roles add badsectorlabs.ludus_elastic_agent
2. Deploy the VMsβ
Set and deploy the configuration for the lab.
git clone https://github.com/aleemladha/SANS-Workshop-LateralMovement
ludus range config set -f SANS-Workshop-LateralMovement/ad/SANS/providers/ludus/config.yml
ludus range deploy
# Wait for the range to successfully deploy
# You can watch the logs with `ludus range logs -f`
# Or check the status with `ludus range status`
3. Install requirementsβ
Install ansible and its requirements for the lab on your local machine.
# You can use a virtualenv here if you would like
python3 -m venv sans-lat-ludus
source sans-lat-ludus/bin/activate
python3 -m pip install ansible-core
python3 -m pip install pywinrm
ansible-galaxy install -r SANS-Workshop-LateralMovement/ansible/requirements.yml
4. Setup the inventory filesβ
The inventory file is already present in the providers folder and replace RANGENUMBER with your range number with sed (commands provided below)
- Linux
- macOS
cd SANS-Workshop-LateralMovement/ansible
export RANGENUMBER=$(ludus range list --json | jq '.rangeNumber')
# `sudo apt install jq` if you don't have jq
sed -i "s/RANGENUMBER/$RANGENUMBER/g" ../ad/SANS/providers/ludus/inventory.yml
cd SANS-Workshop-LateralMovement/ansible
export RANGENUMBER=$(ludus range list --json | jq '.rangeNumber')
# `brew install jq` if you don't have jq
sed -i '' "s/RANGENUMBER/$RANGENUMBER/g" ../ad/SANS/providers/ludus/inventory.yml
5. Deploy the SANS Workshop�β
If not running on the Ludus host, you must be connected to your Ludus wireguard VPN for these commands to work
- Linux
- macOS
# in the SANS-Workshop-LateralMovement/ansible folder perform the following
export ANSIBLE_COMMAND="ansible-playbook -i ../ad/SANS/data/inventory -i ../ad/SANS/providers/ludus/inventory.yml"
export LAB="SANS"
chmod +x ../scripts/provisionning.sh
../scripts/provisionning.sh
# In the SANS-Workshop-LateralMovement/ansible folder perform the following
export ANSIBLE_COMMAND="ansible-playbook -i ../ad/SANS/data/inventory -i ../ad/SANS/providers/ludus/inventory.yml"
export LAB="SANS"
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
../scripts/provisionning.sh
Now you wait. [WARNING] lines are ok, and some steps may take a long time, don't panic!
This will take a few hours. You'll know it is done when you see:
The Empire's dominion is complete! But Rebel operatives remain hidden. Your mission: eliminate them.
6. Snapshot VMsβ
You must be connected to your Ludus wireguard VPN for these commands to work
Take snapshots via the proxmox web UI or SSH run the following ludus command:
ludus snapshot create clean-setup -d "Clean SANS Lab setup after ansible run"
7. Hack!β
Access your Kali machine at https://10.RANGENUMBER.50.99:8444 using the creds kali:password.
Access your Elastic SIEM at https://10.RANGENUMBER.20.1:5601 using the creds elastic:elasticpassword
Then Setup Empire & Starkiller.
Once done, follow lab 2 in the workbook above, without the need to use any OpenVPN configuration.
Replace this part with your RANGENUMBER xfreerdp /v:10.RANGENUMBER.20.11 /u:Administrator /p:'AnsibleAutomation123!' +clipboard /dynamic-resolution
You can also use a standard RDP client on your local machine if your WireGuard is connected.
If you want a challenge and want to do the lab with defender enabled, edit the ad/SANS/data/inventory file and change the last part to look like this
; allow defender
; usage : security.yml
[defender_on]
dc01
dc02
dc03
srv02
; disable defender
; usage : security.yml
[defender_off]