homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Courses >
  3. SEC586: Blue Team Operations: Defensive PowerShell
beta

SEC586: Blue Team Operations: Defensive PowerShell

Course Demo
    18 CPEs

    Are you a Blue Teamer who has been asked to do more with less? Do you wish that you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? Blue Team Operations: Defensive PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

    Course Authors:
     Josh  Johnson
    Josh Johnson
    Certified Instructor
    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component of these capabilities, and PowerShell can be the glue that facilitates orchestration across disparate systems and platforms, effectively making them a force multiplier for Blue Teams. This course will enable information security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.

    PowerShell is uniquely positioned to help Blue Teams because it acts as a cross-platform automation toolset that is built on top of the .NET framework, giving it nearly limitless extensibility. SEC586 maximizes the use of PowerShell using an approach specifically based on Blue Team use cases.

    Students will learn:

    • PowerShell scripting fundamentals from the ground up in terms of PowerShell's capabilities as a defensive toolset
    • Ways to maximize performance of code across dozens, hundreds, or thousands of systems
    • Modern hardening techniques using Infrastructure-as-Code principles
    • How to integrate disparate systems for multi-platform orchestration
    • PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation and deception
    • Response techniques leveraging PowerShell-based automation

    This course is meant to be accessible to beginners new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in depth, with hands-on labs to help students become comfortable with the platform. For skilled PowerShell users who already know the basics, the material aims to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.

    The PowerPlay platform built into the lab environment allows for practical, hands-on drilling of concepts to ensure understanding, promote creativity and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions that map back to the course material as well as extend it.

    Between the course material and the PowerPlay bonus environment, SEC586 students will leave well equipped with the skills to automate everyday Cyber Defense tasks. Students will return to work ready to implement a new set of skills to harden their systems and accelerate capabilities to immediately detect threats and respond to them.

    You Will Be Able To:

    • Write scripts and ad hoc PowerShell as needed to solve cybersecurity use cases
    • Read and expand existing tooling
    • Harden systems using PowerShell
    • Test for visibility gaps and misconfigurations in an automated fashion
    • Integrate disparate systems to enable orchestration across various platforms
    • Build advanced detections using PowerShell as the underlying platform
    • Automate response initiatives before an incident occurs, enabling rapid response

    This Course Will Prepare You To:

    • Automate many common tasks to focus efforts on additional areas for improvement
    • Leverage a native, cross-platform technology to maximize protection
    • Enhance protection, detection, and response capabilities using PowerShell
    • Reduce time to detection and time to response when incidents do occur

    You Will Receive With This Course:

    • A Windows virtual machine hosting the lab environment
    • Full walkthroughs of each lab within a wiki on the virtual machine
    • The PowerPlay question-and-answer guide for additional drilling of concepts

    Syllabus (18 CPEs)

    • Overview

      Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, performant, and readable code. Section 1 focuses on building a solid foundation on which more complex use cases can be built. With a focus on functions specific to the Blue Team, this course section frames the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell, but quickly leveraged to perform actions across hundreds or thousands of systems. This foundation is built from the ground up and accessible to students with no prior scripting experience, but also with enough nuance to shed light on the "why does it work this way" questions posed by more seasoned PowerShell users. For professionals already very familiar with the section 1 concepts, PowerPlay offers an interactive, out-of-band challenge for students to drill more advanced concepts and techniques related to the course material.

      Exercises
      • Hands-On PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools,
      • PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access.
      • Writing Performant PowerShell: Measure the impact of poorly written versus well-written PowerShell, leverage jobs and runspaces, and compare performance.
      • Source Control: Become familiar with git concepts to effectively manage version control.
      Topics
      • Getting to know PowerShell
        • Background and history
        • Why PowerShell is such a good fit for Blue Teams
        • Commands - How to use them and find them
        • Objects and pipelines as PowerShell differentiators
        • Extending PowerShell with .NET
      • Language Basics
        • Variables, data structures, and flow control
        • Input and output
        • Functions and script blocks
      • PowerShell Environment
        • Customizing the console
        • Common development environments
      • Debugging
        • Static code analysis
        • Tracing and breakpoints
        • Helpful tools like Pester and PSScriptAnalyzer
      • Remote Management
        • PowerShell remoting basics and the underlying protocols
        • Running remote commands
        • Managing remote sessions
        • Remoting endpoints/Constrained endpoints
        • Enabling WinRM-based and cross-platform remoting
        • Designing around the double-hop problem
      • PowerShell Performance
        • Coding techniques to maximize PowerShell performance
        • Remoting performance tweaks
        • Concurrency using native features
      • Source Control
      • Git terminology
        • Creating repositories and branches
        • Managing code with pull requests
        • Driving release pipelines from source control
    • Overview

      PowerShell-based automation provides a unique cross-platform mechanism to improve Blue Teams' speed of execution. This section focuses on better understanding one's own environment, maximizing visibility, and testing defensive capabilities using PowerShell. The section begins with a deep dive into log analysis and data parsing and discovery. The goal is to maximize the utility of native features of Operating Systems and applications while fully understanding how to find important data.

      The section then moves into building integration with other systems. With modern API-driven orchestration, PowerShell can glue together multiple systems for better troubleshooting, investigation, detection, and response. This understanding can unlock functionality that would not otherwise be possible between disparate systems.

      The section concludes with in-depth discussions on hardening infrastructure and maximizing visibility and detection capabilities. First, Desired State Configuration - PowerShell's configuration as code utility - can be used to consistently define and configure infrastructure using PowerShell to help ensure system integrity. Other hardening techniques discussed are built upon maximizing native security functionality. Lastly, we'll explain how better understanding visibility and detection capabilities in a repeatable format via automated testing techniques provides for a reliable and repeatable means of measuring one's capabilities.

      Exercises
      • Efficient Log Analysis: Understand how to analyze and filter Windows events and plaintext log files efficiently, and find attacks within sample log files.
      • Integrating Technologies: Build API-based integration.
      • Desired State Configuration (DSC): Leverage DSC to harden a system and turn it into an Incident Response powerhouse.
      • Advanced Detections: Leverage native functionality to maximize hardening efforts with a focus on enabling efficient detection.
      • Measuring Visibility with Atomic Red Team: Leverage Atomic Red Team to test and maximize visibility.
      Topics
      • Best Practices and Controlling PowerShell
        • Maximizing readability and reusability of code
        • Controlling PowerShell to minimize malicious use or misuse of the platform
        • Just Enough Administration
      • Log Analysis
        • Enabling appropriate logging
        • Reading and filtering Windows Event Logs
        • Reading and filtering plaintext logs
      • Text Parsing

        • Regular expressions and string operations to enable efficient parsing
      • Integrations
        • Making HTTP requests
          • Web scraping
          • API calls
        • Authentication
        • Handling session tokens
        • Non-HTTP based integrations
      • Desired State Configuration
        • Benefits of configuration as code
        • DSC architecture and deployment options
        • DSC syntax
        • Finding, building, and implementing DSC resources
        • Workflow and use cases
      • System Hardening
        • Filesystem and registry controls
        • Management of native endpoint functionality
      • Know Thyself
        • Understanding operational capabilities
        • Visibility analysis
        • Testing CIS Critical Security Controls compliance and visibility against the MITRE ATT&CK framework
    • Overview

      This section combines the techniques discussed in the previous course sections in order to maximize detection and response capabilities. A common challenge faced by Blue Teams is the overwhelming amount of data generated by endpoints and security tooling. While this volume of data is meant to facilitate proper detection, it can be interpreted as noise and actually harm an organization's ability to detect threats. We'll discuss analysis techniques to use PowerShell to filter through some of this noise and engineer the ability to make better decisions based on the data provided.

      Advanced detection techniques such as Event Tracing for Windows and deception on endpoints and the network are implemented to provide deep visibility and weaponize existing infrastructure against threat actors. Baselining is layered on top of these techniques to provide an ability to understand normal operating circumstances and identify outliers from that dataset.

      Lastly, response techniques driven by PowerShell are enabled by Interactive Notebooks where analysts can combine documentation and executable code with their output. Response techniques meant to maximize visibility can help an operations team better understand if anomalous conditions warrant further containment and investigation. On the other hand, once malicious intent is identified, response techniques focused on containment can be automated to mitigate additional harm.

      Exercises
      • Event Tracing for Windows (ETW): Become familiar with ETW providers and their usage for detection purposes.
      • Baseline Analysis: Build a baseline object that protects integrity while profiling network and user behavior.
      • Deception: Implement several deception techniques to identify attacker behavior.
      • Response - Visibility: Build automation to more quickly understand the context around an event.
      • Response - Containment: Build automation to more quickly contain threats.

      Topics
      • Analyzing Large Data Sets
        • Feeding data to SIEMs and Big Data systems
        • Analysis techniques to identify events of interest
        • N-Gram analysis for identifying unusual strings
        • PowerShell class structure and implementation
      • Event Tracing for Windows
        • Architecture and Blue Team use cases
        • Providers
        • Trace sessions
        • Packet captures in PowerShell
        • ETW tampering and detection
      • Baselining
        • Converting baseline data to objects and storing them securely
        • Baseline creating strategies
        • Types of baselines and implementations
        • PowerShell-based tools for baselining
      • Automating Deception
        • Network-deception techniques
        • System-deception techniques
        • User-deception techniques
        • Cloud-deception techniques
      • Interactive Notebooks
        • Jupyter Notebooks use cases
        • PowerShell on Jupyter/.NET Interactive
        • Use cases and implementation
      • Short-term Response - Visibility
        • Network and user-based enumeration
        • Enabling deeper auditing as an ad hoc response
        • Enrichment of existing data
      • Short-term Response - Containment
        • Mitigating credential theft impact
        • System containment - process and behavior restriction
        • Network containment

    Prerequisites

    • Basic understanding of programming concepts
    • Basic understanding of Information Security principles

    Laptop Requirements

    Important! Bring your own system configured according to these instructions!

    A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

    Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. You also must have 8 GB of RAM or higher for the virtual machine to function properly in the class.

    It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

    In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

    Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

    • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
    • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
    • RAM: 8 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
    • USB 3.0 ports highly recommended
    • Disk: 50 gigabytes of free disk space
    • Administrative access to disable any host-based firewall
    • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
    • A Windows virtual machine will be provided in class

    Author Statement

    "My Information Security experience has taught me that human analysis is a critical attribute of effective cyber defense. Yet, the very people who are critical to preventing, discovering, and responding to threats are often bogged down with manual work that, while it needs to be done, is done at the expense of more advanced efforts. At the same time, we're facing a critical personnel and skills shortage in Information Security, and many organizations are struggling to fill open positions.

    "The immediate answer to these problems, in my opinion, is automation. PowerShell is a cross-platform automation engine that is uniquely positioned for this task. Blue Teams can transform their everyday operations by automating wherever possible. System auditing and hardening tasks can be streamlined via configuration as code and substantial automation, leaving room for professionals to interpret reporting and work on higher-level tasks. Detection and response tasks can also be significantly improved. Data aggregation and analysis can be performed automatically, leaving analysts with pre-filtered data of interest to aid in detection. For response, a pre-built toolkit can enable near real-time response actions such as quarantining systems on the network, interrogating suspicious hosts for more information, capturing artifacts for forensic analysis, or even automatically remediating common issues.

    "SEC586 is designed to help teams raise the bar and spend time on what will provide the most value to their organizations. Deep automation alongside capable professionals flips the script and makes organizations a dangerous target for their adversaries."

    -Josh Johnson

    No scheduled events for this course.

    Who Should Attend SEC586?

    • Security Operations Center Analysts
    • System Engineers
    • System Administrators
    • Technical Security Managers
    • Cyber Threat Investigators
    • Computer Network Defense Analysts
    See prerequisites
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters
    • The Critical Security Controls
    • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia (Slovak Republic)
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe
    • © 2021 SANS™ Institute
    • Privacy Policy
    • Contact
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn