Security Automation with PowerShell

Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network.

Defensive PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

Course Key Learnings:

• PowerShell scripting fundamentals from the ground up with respect to the capabilities of PowerShell as a defensive toolset
• Ways to maximize performance of code across dozens, hundreds, or thousands of systems
• Modern hardening techniques using Infrastructure-as-Code principles
• How to integrate disparate systems for multi-platform orchestration
• PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation to deception
• Response techniques leveraging PowerShell-based automation

Course Content:

Module1:PowerShell Fundamentals

Overview

Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, readable, and usable code. Section 1 of the course focuses on building a solid foundation upon which more complex use cases can then be constructed. With a focus on Blue Team specific functions, we’ll frame the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell and immediately applied as Blue Team triage and analysis tactics.

Exercises

• Hands-on PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools
• Triage the VM: Quickly understand the state of a system, from networking details to process execution and removable devices
• Scripting in PowerShell: Leverage an understanding of the language basics to build high-quality tooling that will be supportable by Blue Teams
• Debugging: Save time and frustration, easily identifying complex bugs in PowerShell through built-in debugging capabilities and Pester tests
• Source Control: Become familiar with Git concepts to effectively manage version control

Topics

Getting to Know PowerShell

• Background and history
• Why PowerShell is such a good fit for Blue Teams
• How to use commands and find them
• Objects and pipelines as PowerShell differentiators
• Extending PowerShell with .NET

Blue Team Use Cases

• Network inspection
• Triage at the operating system level
• File discovery and inspection

Language Basics

• Variables, data structures, and flow control
• Input and output
• Functions and script blocks

PowerShell Environment

• Customizing the console
• Common development environments

Debugging

• Static code analysis
• Tracing and breakpoints
• Helpful tools like Pester and PSScriptAnalyzer

Source Control

• Git terminology
• Creating repositories and branches
• Managing code with pull requests
• Driving release pipelines from source control

Module2:Best Practices for Blue Teams

Overview

PowerShell-based automation provides a unique, cross-platform mechanism for improving Blue Teams’ speed of execution. This course section begins with a discussion on best practices to ensure code is highly functional, readable, and supportable. Students will leave with a deep understanding of how PowerShell works under the hood, but also with a sense of how to build tools that can be supported by team members less familiar with PowerShell.

Exercises

• PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access
• Writing Usable PowerShell: Measure the impact of poorly versus well-written PowerShell, and leverage jobs and runspaces and compare performance
• Integrating Technologies: Build an API-based integration
• Interactive Notebooks: Build a triage notebook using VS Code and Jupyter

Topics

Best Practices

• Maximizing readability and reusability of code
• Designing tools with modularity in mind
• Handling unexpected conditions when working at scale

Remote Management

• PowerShell remoting basics and the underlying protocols
• Running remote commands
• Managing remote sessions
• Remoting endpoints/constrained endpoints
• Enabling WinRM-based and cross-platform remoting
• Designing around the double-hop problem

PowerShell Performance

• Coding techniques to maximize PowerShell performance
• Remoting performance tweaks
• Concurrency using native features

Integrations

• Making HTTP requests
  • Web scraping
  • API calls
• Authentication
• Handling session tokens
• Non-HTTP based integrations

Interactive Notebooks

• Jupyter Notebooks use cases
• PowerShell on Jupyter/.NET Interactive
• Use cases and implementation

Module3: Weaponizing PowerShell

Overview

Now that we have a strong understanding of the fundamentals, this course section focuses on ways to weaponize PowerShell both from an offensive and defensive perspective. The section begins with a focus on offensive PowerShell use cases. Threat actors have long used PowerShell as an attack platform, delivering fileless malware and living off the land using built-in capabilities. The next section turns this discussion around and focuses on the Blue Team aspects of controlling PowerShell execution.

Exercises

• Offensive PowerShell: Build a fileless keylogger that automatically exfiltrates keystrokes to cloud storage
• Controlling PowerShell: Analyze the impact of a stronger security posture surrounding PowerShell usage in the enterprise
• Efficient Log Analysis: Understand how to efficiently analyze and filter Windows events and plaintext log files, and find attacks within sample log files
• Parsing and Discovery: Build tools to extract important data from unstructured text-based logs and use these same techniques for sensitive data discovery
• DevOps: Leverage PowerShell as an orchestration engine, building containers for automated web application scanning and identifying potentially compromised containers in the environment

Topics

Offensive PowerShell

• Common tactics used by attackers leveraging PowerShell
• Fileless implementation techniques
• .NET utilization by PowerShell-based attack tools

Controlling PowerShell

• Limiting attack surface on PowerShell-enabled systems
• Controlling, not attempting to block, PowerShell in the enterprise
• Just Enough Administration for enabling secure usage of administrative PowerShell sessions

Log Analysis

• Enabling appropriate logging
• Reading and filtering Windows Event Logs
• Reading and filtering plaintext logs

Text Parsing

• Regular expressions and string operations to enable efficient parsing

DevOps

• Automating static and dynamic application security testing
• Pipeline assurance automation
• Container interaction, security assessment, and triage

Module4:  Know and Protect Thyself

Overview

This course section focuses on better understanding one’s own environment, maximizing visibility and testing defensive capabilities using PowerShell. The section begins with in-depth discussions on hardening infrastructure and maximizing visibility and detection capabilities. For basics such as ensuring that proper access controls exist, the theory is simple. But using traditional techniques, scaling in practice is difficult. With an automation platform like PowerShell, hardening and auditing practices can be scaled with ease, providing consistent assurance.

Exercises

• Advanced Detections: Leverage native functionality to maximize hardening efforts with a focus on enabling efficient detection
• Desired State Configuration: Leverage DSC to harden a system and turn it into an incident response powerhouse
• Measuring Visibility with Atomic Red Team: Leverage Atomic Red Team to test and maximize visibility
• Analyzing Large Data Sets: Quickly make sense of large volumes of data using statistical analysis, and leverage custom PowerShell to create unique PowerShell objects meant to solve specific problems

Topics

System Hardening

• Filesystem and registry controls
• Management of native endpoint functionality

Desired State Configuration

• Benefits of Configuration as Code
• DSC architecture and deployment options
• DSC syntax
• Finding, building, and implementing DSC resources
• Workflow and use cases

Know Thyself

• Understanding operational capabilities
• Visibility analysis
• Testing compliance with and the visibility of the CIS Critical Security Controls against MITRE ATT&CK

Analyzing Large Data Sets

• Feeding data to SIEMs and Big Data systems
• Analysis techniques to identify events of interest
• N-Gram analysis for identifying unusual strings
• PowerShell class structure and implementation

Module5: Detect and Respond

Overview

With hardening and protection mechanisms now having been covered, this course section focuses entirely on detection and response strategies enabled by PowerShell automation.

Advanced detection techniques such as Event Tracing for Windows and deception on endpoints and the network are implemented to provide deep visibility and weaponize existing infrastructure against threat actors. These techniques can be automated at scale to turn a “normal” enterprise network into a mine field, providing deep visibility to Blue Teams while forcing an attacker to work even more slowly and methodically to evade detection.

Exercises

• Event Tracing for Windows: Become familiar with ETW providers and their use for detection purposes
• Baseline Analysis: Build a baseline object that protects integrity while profiling network and user behavior
• Deception: Implement several deception techniques to identify attacker behavior
• Response – Visibility: Build automation to more quickly understand context around an event
• Response – Containment: Build automation to more quickly contain threats

Topics

Event Tracing for Windows

• Architecture and Blue Team use cases
• Providers
• Trace sessions
• Packet captures in PowerShell
• ETW tampering and detection

Baselining

• Converting baseline data to objects and storing them securely
• Strategies to create baselines
• Types of baselines and implementations
• PowerShell-based tools for baselining

Automating Deception

• Network deception techniques
• System deception techniques
• User deception techniques
• Cloud deception techniques

Short-term Response – Visibility

• Network and user-based enumeration
• Enabling deeper auditing as an ad hoc response
• Enrichment of existing data

Short-term Response – Containment

• Mitigating credential theft impact
• System containment – process and behavior restriction
• Network containment

Course Prerequisites