What You Will Learn
Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component of these capabilities, and PowerShell can be the glue that facilitates orchestration across disparate systems and platforms, effectively making them a force multiplier for Blue Teams. This course will enable information security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.
PowerShell is uniquely positioned to help Blue Teams because it acts as a cross-platform automation toolset that is built on top of the .NET framework, giving it nearly limitless extensibility. SEC586 maximizes the use of PowerShell using an approach specifically based on Blue Team use cases.
Students will learn:
- PowerShell scripting fundamentals from the ground up in terms of PowerShell's capabilities as a defensive toolset
- Ways to maximize performance of code across dozens, hundreds, or thousands of systems
- Modern hardening techniques using Infrastructure-as-Code principles
- How to integrate disparate systems for multi-platform orchestration
- PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation and deception
- Response techniques leveraging PowerShell-based automation
This course is meant to be accessible to beginners new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in depth, with hands-on labs to help students become comfortable with the platform. For skilled PowerShell users who already know the basics, the material aims to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.
The PowerPlay platform built into the lab environment allows for practical, hands-on drilling of concepts to ensure understanding, promote creativity and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions that map back to the course material as well as extend it.
Between the course material and the PowerPlay bonus environment, SEC586 students will leave well equipped with the skills to automate everyday Cyber Defense tasks. Students will return to work ready to implement a new set of skills to harden their systems and accelerate capabilities to immediately detect threats and respond to them.
You Will Be Able To:
- Write scripts and ad hoc PowerShell as needed to solve cybersecurity use cases
- Read and expand existing tooling
- Harden systems using PowerShell
- Test for visibility gaps and misconfigurations in an automated fashion
- Integrate disparate systems to enable orchestration across various platforms
- Build advanced detections using PowerShell as the underlying platform
- Automate response initiatives before an incident occurs, enabling rapid response
This Course Will Prepare You To:
- Automate many common tasks to focus efforts on additional areas for improvement
- Leverage a native, cross-platform technology to maximize protection
- Enhance protection, detection, and response capabilities using PowerShell
- Reduce time to detection and time to response when incidents do occur
You Will Receive With This Course:
- A Windows virtual machine hosting the lab environment
- Full walkthroughs of each lab within a wiki on the virtual machine
- The PowerPlay question-and-answer guide for additional drilling of concepts
Syllabus (18 CPEs)
-
Overview
Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, performant, and readable code. Section 1 focuses on building a solid foundation on which more complex use cases can be built. With a focus on functions specific to the Blue Team, this course section frames the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell, but quickly leveraged to perform actions across hundreds or thousands of systems. This foundation is built from the ground up and accessible to students with no prior scripting experience, but also with enough nuance to shed light on the "why does it work this way" questions posed by more seasoned PowerShell users. For professionals already very familiar with the section 1 concepts, PowerPlay offers an interactive, out-of-band challenge for students to drill more advanced concepts and techniques related to the course material.
Exercises
- Hands-On PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools,
- PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access.
- Writing Performant PowerShell: Measure the impact of poorly written versus well-written PowerShell, leverage jobs and runspaces, and compare performance.
- Source Control: Become familiar with git concepts to effectively manage version control.
Topics
- Getting to know PowerShell
- Background and history
- Why PowerShell is such a good fit for Blue Teams
- Commands - How to use them and find them
- Objects and pipelines as PowerShell differentiators
- Extending PowerShell with .NET
- Language Basics
- Variables, data structures, and flow control
- Input and output
- Functions and script blocks
- PowerShell Environment
- Customizing the console
- Common development environments
- Debugging
- Static code analysis
- Tracing and breakpoints
- Helpful tools like Pester and PSScriptAnalyzer
- Remote Management
- PowerShell remoting basics and the underlying protocols
- Running remote commands
- Managing remote sessions
- Remoting endpoints/Constrained endpoints
- Enabling WinRM-based and cross-platform remoting
- Designing around the double-hop problem
- PowerShell Performance
- Coding techniques to maximize PowerShell performance
- Remoting performance tweaks
- Concurrency using native features
- Source Control
- Git terminology
- Creating repositories and branches
- Managing code with pull requests
- Driving release pipelines from source control
-
Overview
PowerShell-based automation provides a unique cross-platform mechanism to improve Blue Teams' speed of execution. This section focuses on better understanding one's own environment, maximizing visibility, and testing defensive capabilities using PowerShell. The section begins with a deep dive into log analysis and data parsing and discovery. The goal is to maximize the utility of native features of Operating Systems and applications while fully understanding how to find important data.
The section then moves into building integration with other systems. With modern API-driven orchestration, PowerShell can glue together multiple systems for better troubleshooting, investigation, detection, and response. This understanding can unlock functionality that would not otherwise be possible between disparate systems.
The section concludes with in-depth discussions on hardening infrastructure and maximizing visibility and detection capabilities. First, Desired State Configuration - PowerShell's configuration as code utility - can be used to consistently define and configure infrastructure using PowerShell to help ensure system integrity. Other hardening techniques discussed are built upon maximizing native security functionality. Lastly, we'll explain how better understanding visibility and detection capabilities in a repeatable format via automated testing techniques provides for a reliable and repeatable means of measuring one's capabilities.
Exercises
- Efficient Log Analysis: Understand how to analyze and filter Windows events and plaintext log files efficiently, and find attacks within sample log files.
- Integrating Technologies: Build API-based integration.
- Desired State Configuration (DSC): Leverage DSC to harden a system and turn it into an Incident Response powerhouse.
- Advanced Detections: Leverage native functionality to maximize hardening efforts with a focus on enabling efficient detection.
- Measuring Visibility with Atomic Red Team: Leverage Atomic Red Team to test and maximize visibility.
Topics
- Best Practices and Controlling PowerShell
- Maximizing readability and reusability of code
- Controlling PowerShell to minimize malicious use or misuse of the platform
- Just Enough Administration
- Log Analysis
- Enabling appropriate logging
- Reading and filtering Windows Event Logs
- Reading and filtering plaintext logs
Text Parsing
- Regular expressions and string operations to enable efficient parsing
- Integrations
- Making HTTP requests
- Web scraping
- API calls
- Authentication
- Handling session tokens
- Non-HTTP based integrations
- Desired State Configuration
- Benefits of configuration as code
- DSC architecture and deployment options
- DSC syntax
- Finding, building, and implementing DSC resources
- Workflow and use cases
- System Hardening
- Filesystem and registry controls
- Management of native endpoint functionality
- Know Thyself
- Understanding operational capabilities
- Visibility analysis
- Testing CIS Critical Security Controls compliance and visibility against the MITRE ATT&CK framework
-
Overview
This section combines the techniques discussed in the previous course sections in order to maximize detection and response capabilities. A common challenge faced by Blue Teams is the overwhelming amount of data generated by endpoints and security tooling. While this volume of data is meant to facilitate proper detection, it can be interpreted as noise and actually harm an organization's ability to detect threats. We'll discuss analysis techniques to use PowerShell to filter through some of this noise and engineer the ability to make better decisions based on the data provided.
Advanced detection techniques such as Event Tracing for Windows and deception on endpoints and the network are implemented to provide deep visibility and weaponize existing infrastructure against threat actors. Baselining is layered on top of these techniques to provide an ability to understand normal operating circumstances and identify outliers from that dataset.
Lastly, response techniques driven by PowerShell are enabled by Interactive Notebooks where analysts can combine documentation and executable code with their output. Response techniques meant to maximize visibility can help an operations team better understand if anomalous conditions warrant further containment and investigation. On the other hand, once malicious intent is identified, response techniques focused on containment can be automated to mitigate additional harm.
Exercises
- Event Tracing for Windows (ETW): Become familiar with ETW providers and their usage for detection purposes.
- Baseline Analysis: Build a baseline object that protects integrity while profiling network and user behavior.
- Deception: Implement several deception techniques to identify attacker behavior.
- Response - Visibility: Build automation to more quickly understand the context around an event.
- Response - Containment: Build automation to more quickly contain threats.
Topics
- Analyzing Large Data Sets
- Feeding data to SIEMs and Big Data systems
- Analysis techniques to identify events of interest
- N-Gram analysis for identifying unusual strings
- PowerShell class structure and implementation
- Event Tracing for Windows
- Architecture and Blue Team use cases
- Providers
- Trace sessions
- Packet captures in PowerShell
- ETW tampering and detection
- Baselining
- Converting baseline data to objects and storing them securely
- Baseline creating strategies
- Types of baselines and implementations
- PowerShell-based tools for baselining
- Automating Deception
- Network-deception techniques
- System-deception techniques
- User-deception techniques
- Cloud-deception techniques
- Interactive Notebooks
- Jupyter Notebooks use cases
- PowerShell on Jupyter/.NET Interactive
- Use cases and implementation
- Short-term Response - Visibility
- Network and user-based enumeration
- Enabling deeper auditing as an ad hoc response
- Enrichment of existing data
- Short-term Response - Containment
- Mitigating credential theft impact
- System containment - process and behavior restriction
- Network containment
Prerequisites
- Basic understanding of programming concepts
- Basic understanding of Information Security principles
Laptop Requirements
Important! Bring your own system configured according to these instructions!
We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. You also must have 8 GB of RAM or higher for the virtual machine to function properly in the class.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.
In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.
Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
- CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
- RAM: 8 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
- USB 3.0 ports highly recommended
- Disk: 50 gigabytes of free disk space
- Administrative access to disable any host-based firewall
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- A Windows virtual machine will be provided in class
Author Statement
"My Information Security experience has taught me that human analysis is a critical attribute of effective cyber defense. Yet, the very people who are critical to preventing, discovering, and responding to threats are often bogged down with manual work that, while it needs to be done, is done at the expense of more advanced efforts. At the same time, we're facing a critical personnel and skills shortage in Information Security, and many organizations are struggling to fill open positions.
"The immediate answer to these problems, in my opinion, is automation. PowerShell is a cross-platform automation engine that is uniquely positioned for this task. Blue Teams can transform their everyday operations by automating wherever possible. System auditing and hardening tasks can be streamlined via configuration as code and substantial automation, leaving room for professionals to interpret reporting and work on higher-level tasks. Detection and response tasks can also be significantly improved. Data aggregation and analysis can be performed automatically, leaving analysts with pre-filtered data of interest to aid in detection. For response, a pre-built toolkit can enable near real-time response actions such as quarantining systems on the network, interrogating suspicious hosts for more information, capturing artifacts for forensic analysis, or even automatically remediating common issues.
"SEC586 is designed to help teams raise the bar and spend time on what will provide the most value to their organizations. Deep automation alongside capable professionals flips the script and makes organizations a dangerous target for their adversaries."
-Josh Johnson