$4,000

(SOSummit) Adversary Tactics: PowerShell Training Course

Event Information

Share this event

Date and Time

Location

Location

Embassy Suites by Hilton San Antonio Landmark

5615 Landmark Parkway

San Antonio, TX 78249

View Map

Refund Policy

Refund Policy

Refunds up to 7 days before event

Event description

Description

This course is being held as part of the first SpecterOps Summit and will include evening events and social activities.

---------------------------------------------------------------------------------

PowerShell offers security practitioners working within the Microsoft stack amazing capabilities for both offense and defense. Today, PowerShell is relied upon by red teams, threat hunters, incident responders, penetration testers, criminals, and nation-state adversaries alike due to its ability to automate attack and defense at scale. Gain a full understanding of how to effectively wield PowerShell as an attacker or defender.

Topics covered include:

  • OPSEC -aware PowerShell tradecraft principals
  • PowerShell Remoting
  • Identification of PowerShell in non-traditional host processes as a means of evading detection
  • Configuration, auditing, analysis, and evasion of preventative and detective security controls including PSv5 logging, constrained language mode, and AMSI
  • Windows Management Instrumentation and Active Directory deep dives
  • Low-level, Win32 interop and .NET internals for host artifact evasion and stealth
  • Using PowerShell as a stealthy loader for .NET malware
  • Code injection discovery, exploitation, and prevention

Course Summary

Automation is necessary to be efficient and successful in security for both offensive and defensive teams. Furthermore, with the rapid pace of migration to cloud infrastructure, the need to interact with infrastructure through automation is more important than ever. PowerShell is the language and shell that drives automation across the Windows and Azure ecosystem. Sitting on top of the massive .NET class library, there is very little that can not be done in PowerShell. Today, PowerShell is relied upon by red teams, threat hunters, incident responders, penetration testers, criminals, and nation-state adversaries alike. Before robust detection capabilities were widely deployed, PowerShell was also the tool of choice for attackers to evade detection. Between the modern security features offered and the fact that most AV/EDR solutions have a PowerShell prevention/detection component, it is imperative that both red teamers and blue teamers understand the defensive landscape when building and using tools within the language.

This class is designed to teach students already comfortable with the basics of PowerShell to take full advantage of the unique benefits it offers security professionals. Since the introduction of version 5, the security optics and preventative controls of PowerShell are unparalleled. Students will learn how to configure, audit, monitor, and bypass every preventative and detective control that PowerShell has to offer. By the end of the class, students will walk away with a profound appreciation of PowerShell's capabilities, strong security enforcement and optics, as well as the extent of its unique, post-exploitation attack surface. Additionally, students will become even more comfortable using PowerShell and identifying when it’s the right tool for the job and when it’s not.

Defenders must know the reality of how attackers subvert security controls, and mature offensive security testers must know the defensive landscape in which they must tread carefully. This class will serve as a deep dive into PowerShell security capabilities. Every topic presented in class will follow the theme of "for every action, there is an equal an opposite reaction" whereby mitigations, detections, and bypasses will be discussed for nearly every topic covered.

Topics covered include:

  • OPSEC-aware PowerShell tradecraft principals
  • PowerShell Remoting
  • Execution of PowerShell in non-traditional host processes
  • Configuration, auditing, analysis, and evasion of preventative and detective security controls including PSv5 logging, constrained language mode, and AMSI
  • Windows Management Instrumentation and Active Directory deep dives
  • Low-level, Win32 interop and .NET internals for host artifact evasion and stealth
  • Code injection discovery, exploitation, and prevention

Course Syllabus

Day 1:

  • Motivations/Goals
  • PowerShell Basics Refresher
  • PowerShell Remoting
  • PowerShell Without PowerShell
    • 3rd party, alternate PowerShell hosts
    • Supported Microsoft PowerShell hosts
    • Unintended Microsoft PowerShell hosts
    • Command-line logging evasion

Day 2:

  • Windows Management Instrumentation (WMI)
    • Interacting with WMI
    • Querying WMI and discovery
    • Eventing
    • Attacks/defenses
  • Active Directory
    • Interacting with Active Directory
    • LDAP search filters
    • Active Directory ACLs
    • Command and control
    • PowerView “PowerUsage”

Day 3:

  • PowerShell Prevention - Implementation, Auditing, and Bypasses
    • Constrained Language Mode
    • Just Enough Administration (JEA)
    • Downgrade attack mitigation
    • Anti-malware Scan Interface (AMSI)
    • Exploiting code injection vulnerabilities
    • Code signing and trust enforcement
  • PowerShell Detection - Implementation, Auditing, and Bypasses
    • Classic and modern event logs
    • Event Tracing for Windows (ETW)

Day 4:

  • Reflection
    • Internal .NET member access/invocation
    • In-memory .NET assembly loading
    • Add-Type internals, host footprint, and evasion strategies
    • Dynamic code generation
  • Low-level, Win32 Interop
    • P/Invoke and Win32 API basics
    • Borrowing internal methods
    • PSReflect

Student Requirements

Students are expected to have the following:

  • A basic level of comfort/familiarity with PowerShell. A strong developer background is not required.
  • The ability to connect to the internet and connect to a VM over RDP (and optionally, PowerShell remoting – port 5985)
  • A Windows 10 VM (preferably Windows 10 Enterprise for the Device Guard lab).
  • A willingness to learn and to get your hands dirty in intensive labs!

Hardware Requirements

Participants will need to bring a laptop with:

  • 8GBs of RAM
  • Ability to run a virtual machine (VMWare Player, Workstation, Fusion)

What's Included

  • Four day training
  • All day beverages and snacks
  • Daily lunch
  • Evening activities as part of SpecterOps Summit

Accommodations

Training will be taking place in the Embassy Suites by Hilton San Antonio Landmark in San Antonio, Texas

FAQs

How can I contact the organizer with any questions?

Please email info@specterops.io with any questions.

What's the refund policy?

Full refunds will be provided up to 7 days before the course start date.

Share with friends

Date and Time

Location

Embassy Suites by Hilton San Antonio Landmark

5615 Landmark Parkway

San Antonio, TX 78249

View Map

Refund Policy

Refunds up to 7 days before event

Save This Event

Event Saved