beta

SEC586: Blue Team Operations: Defensive PowerShell

  • In Person (6 days)
  • Online
36 CPEs

Are you a Blue Teamer who has been asked to do more with less? Do you wish you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? SEC586: Blue Team Operations: Defensive PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defenses. This course will provide you with skills for near real-time detection and response and elevate your defenses to the next level.

What You Will Learn

Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component to facilitate these capabilities, and PowerShell can be the glue that holds together and enables the orchestration of this process across disparate systems and platforms to effectively act as a force multiplier for Blue Teams. This course will enable Information Security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.

PowerShell is uniquely positioned for this task of enabling Blue Teams. It acts as an automation toolset that functions across platforms and it is built on top of the .NET framework for nearly limitless extensibility. SEC586 maximizes the use of PowerShell in an approach based specifically on Blue Team use cases.

Students who take SEC586 will learn:

  • PowerShell scripting fundamentals from the ground up with respect to the capabilities of PowerShell as a defensive toolset
  • Ways to maximize performance of code across dozens, hundreds, or thousands of systems
  • Modern hardening techniques using Infrastructure-as-Code principles
  • How to integrate disparate systems for multi-platform orchestration
  • PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation to deception
  • Response techniques leveraging PowerShell-based automation

This course is meant to be accessible to beginners who are new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in-depth, with hands-on labs to enable beginning students to become comfortable with the platform. For skilled PowerShell users who already know the basics, the material is meant to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.

The PowerPlay platform built into the lab environment enables practical, hands-on drilling of concepts to ensure understanding, promote creativity, and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions mapping back to and extending the course material.

Between the course material and the PowerPlay bonus environment, SEC586 students will leave the course well equipped with the skills to automate everyday cyber defense tasks. You will return to work ready to implement a new set of skills to harden your systems and accelerate your capabilities to more immediately detect and respond to threats.

Syllabus (36 CPEs)

  • Overview

    Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, readable, and usable code. Section 1 of the course focuses on building a solid foundation upon which more complex use cases can then be constructed. With a focus on Blue Team specific functions, well frame the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell and immediately applied as Blue Team triage and analysis tactics. This base is built from the ground up and accessible to students with no prior scripting experience, but with enough nuance to shed light on the "why does it work this way" question for more seasoned PowerShell users. For professionals already familiar with the basic concepts, PowerPlay offers an interactive, out-of-band challenge system for students to drill various concepts and techniques related to the course material.

    Exercises
    • Hands-on PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools
    • Triage the VM: Quickly understand the state of a system, from networking details to process execution and removable devices
    • Scripting in PowerShell: Leverage an understanding of the language basics to build high-quality tooling that will be supportable by Blue Teams
    • Debugging: Save time and frustration, easily identifying complex bugs in PowerShell through built-in debugging capabilities and Pester tests
    • Source Control: Become familiar with Git concepts to effectively manage version control
    Topics

    Getting to Know PowerShell

    • Background and history
    • Why PowerShell is such a good fit for Blue Teams
    • How to use commands and find them
    • Objects and pipelines as PowerShell differentiators
    • Extending PowerShell with .NET

    Blue Team Use Cases

    • Network inspection
    • Triage at the operating system level
    • File discovery and inspection

    Language Basics

    • Variables, data structures, and flow control
    • Input and output
    • Functions and script blocks

    PowerShell Environment

    • Customizing the console
    • Common development environments

    Debugging

    • Static code analysis
    • Tracing and breakpoints
    • Helpful tools like Pester and PSScriptAnalyzer

    Source Control

    • Git terminology
    • Creating repositories and branches
    • Managing code with pull requests
    • Driving release pipelines from source control
  • Overview

    PowerShell-based automation provides a unique, cross-platform mechanism for improving Blue Teams' speed of execution. This course section begins with a discussion on best practices to ensure code is highly functional, readable, and supportable. Students will leave with a deep understanding of how PowerShell works under the hood, but also with a sense of how to build tools that can be supported by team members less familiar with PowerShell.

    This section transitions into taking the fundamentals and executing them at scale. PowerShells remoting capabilities are flexible and nuanced, allowing for fine-tuning of code that needs to be executed against a fleet of systems. This section discusses PowerShell remoting capabilities and how to best use them to accomplish Blue Team use cases, from analysis and triage to response.

    Next, a performance section addresses important aspects of PowerShell. Given its object-oriented nature, PowerShell is sometimes criticized for poor performance. However, if you understand the fundamentals, it becomes clear that very simple tweaks can optimize performance and reduce the overhead associated with these critiques. This section discusses optimizing code so that it is efficient both locally and once scaled out to a fleet of systems.

    The section continues into building integration with other systems. With modern API-driven orchestration, PowerShell can glue together multiple systems for better troubleshooting, investigation, detection, and response. This understanding can unlock functionality that would not otherwise be possible between disparate systems.

    Finally, protection, analysis, triage, and response techniques driven by PowerShell are enabled by Interactive Notebooks where analysts can combine documentation and executable code. Jupyter Notebooks and VS Code's .NET Interactive Notebooks are leveraged to help build PowerShell-based tooling that can be understood and executed by even novice analysts unfamiliar with PowerShell.

    Exercises
    • PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access
    • Writing Usable PowerShell: Measure the impact of poorly versus well-written PowerShell, and leverage jobs and runspaces and compare performance
    • Integrating Technologies: Build an API-based integration
    • Interactive Notebooks: Build a triage notebook using VS Code and Jupyter
    Topics

    Best Practices

    • Maximizing readability and reusability of code
    • Designing tools with modularity in mind
    • Handling unexpected conditions when working at scale

    Remote Management

    • PowerShell remoting basics and the underlying protocols
    • Running remote commands
    • Managing remote sessions
    • Remoting endpoints/constrained endpoints
    • Enabling WinRM-based and cross-platform remoting
    • Designing around the double-hop problem

    PowerShell Performance

    • Coding techniques to maximize PowerShell performance
    • Remoting performance tweaks
    • Concurrency using native features

    Integrations

    • Making HTTP requests
      • Web scraping
      • API calls
    • Authentication
    • Handling session tokens
    • Non-HTTP based integrations

    Interactive Notebooks

    • Jupyter Notebooks use cases
    • PowerShell on Jupyter/.NET Interactive
    • Use cases and implementation
  • Overview

    Now that we have a strong understanding of the fundamentals, this course section focuses on ways to weaponize PowerShell both from an offensive and defensive perspective. The section begins with a focus on offensive PowerShell use cases. Threat actors have long used PowerShell as an attack platform, delivering fileless malware and living off the land using built-in capabilities. The next section turns this discussion around and focuses on the Blue Team aspects of controlling PowerShell execution.

    The section then dives deep into log analysis and data parsing and discovery. The goal is to maximize the utility of native features of operating systems and applications while fully understanding how to find important data. If Blue Teams can identify sensitive data in unexpected locations, those data can be handled or protected properly.

    The section concludes with a discussion of PowerShell as a platform to enable Blue Teams to work within DevOps development practices. As modern development teams transition practices, Blue Teams must adapt. Automation plays an important role in this process, as Blue Teams fight to scale capabilities to match modern development frameworks. PowerShell provides this automation platform and can be the catalyst to enable continuous assurance of critical business services.

    Exercises
    • Offensive PowerShell: Build a fileless keylogger that automatically exfiltrates keystrokes to cloud storage
    • Controlling PowerShell: Analyze the impact of a stronger security posture surrounding PowerShell usage in the enterprise
    • Efficient Log Analysis: Understand how to efficiently analyze and filter Windows events and plaintext log files, and find attacks within sample log files
    • Parsing and Discovery: Build tools to extract important data from unstructured text-based logs and use these same techniques for sensitive data discovery
    • DevOps: Leverage PowerShell as an orchestration engine, building containers for automated web application scanning and identifying potentially compromised containers in the environment
    Topics

    Offensive PowerShell

    • Common tactics used by attackers leveraging PowerShell
    • Fileless implementation techniques
    • .NET utilization by PowerShell-based attack tools

    Controlling PowerShell

    • Limiting attack surface on PowerShell-enabled systems
    • Controlling, not attempting to block, PowerShell in the enterprise
    • Just Enough Administration for enabling secure usage of administrative PowerShell sessions

    Log Analysis

    • Enabling appropriate logging
    • Reading and filtering Windows Event Logs
    • Reading and filtering plaintext logs

    Text Parsing

    • Regular expressions and string operations to enable efficient parsing

    DevOps

    • Automating static and dynamic application security testing
    • Pipeline assurance automation
    • Container interaction, security assessment, and triage
  • Overview

    This course section focuses on better understanding one's own environment, maximizing visibility and testing defensive capabilities using PowerShell. The section begins with in-depth discussions on hardening infrastructure and maximizing visibility and detection capabilities. For basics such as ensuring that proper access controls exist, the theory is simple. But using traditional techniques, scaling in practice is difficult. With an automation platform like PowerShell, hardening and auditing practices can be scaled with ease, providing consistent assurance.

    Next, Desired State Configuration, PowerShells configuration-as-code utility, can be used to consistently define and configure infrastructure using PowerShell to help ensure system integrity. Additional hardening techniques are discussed based on maximizing native security functionality.

    The section then turns to improving understanding of visibility and detection capabilities in a repeatable format via automated testing techniques that provide for a reliable and repeatable means of measuring capabilities. The focus here is to use PowerShell as a testing utility to identify visibility and detection gaps both in preventive and detective controls, but also in operational processes.

    Finally, a common challenge faced by Blue Teams is the overwhelming amount of data generated by endpoints and security tooling. While large volume is meant to facilitate proper detection, it can be interpreted as noise and actually harm an organizations ability to detect threats. Well discuss analysis techniques that use PowerShell to filter through some of this noise and provide the ability to make better decisions based on available data.

    Exercises
    • Advanced Detections: Leverage native functionality to maximize hardening efforts with a focus on enabling efficient detection
    • Desired State Configuration: Leverage DSC to harden a system and turn it into an incident response powerhouse
    • Measuring Visibility with Atomic Red Team: Leverage Atomic Red Team to test and maximize visibility
    • Analyzing Large Data Sets: Quickly make sense of large volumes of data using statistical analysis, and leverage custom PowerShell to create unique PowerShell objects meant to solve specific problems
    Topics

    System Hardening

    • Filesystem and registry controls
    • Management of native endpoint functionality

    Desired State Configuration

    • Benefits of Configuration as Code
    • DSC architecture and deployment options
    • DSC syntax
    • Finding, building, and implementing DSC resources
    • Workflow and use cases

    Know Thyself

    • Understanding operational capabilities
    • Visibility analysis
    • Testing compliance with and the visibility of the CIS Critical Security Controls against MITRE ATT&CK

    Analyzing Large Data Sets

    • Feeding data to SIEMs and Big Data systems
    • Analysis techniques to identify events of interest
    • N-Gram analysis for identifying unusual strings
    • PowerShell class structure and implementation
  • Overview

    With hardening and protection mechanisms now having been covered, this course section focuses entirely on detection and response strategies enabled by PowerShell automation.

    Advanced detection techniques such as Event Tracing for Windows and deception on endpoints and the network are implemented to provide deep visibility and weaponize existing infrastructure against threat actors. These techniques can be automated at scale to turn a "normal" enterprise network into a mine field, providing deep visibility to Blue Teams while forcing an attacker to work even more slowly and methodically to evade detection.

    Baselining is layered on top of these techniques to provide an ability to understand normal operating circumstances and identify outliers from that dataset. Baseline deviation detection and file integrity monitoring techniques are implemented in a way that is supportable at scale and, of course, automated using PowerShell.

    The course section concludes by covering response techniques meant to maximize visibility and help an operations team better understand if anomalous conditions warrant further containment and investigation. Once malicious intent is identified, response techniques focused on containment can be automated to mitigate additional harm. Layering these response techniques inside of automation playbooks can ensure proper response, containing threats but also enabling teams to quickly identify false positives and avoid unnecessary end-user friction and business impact.

    Exercises
    • Event Tracing for Windows: Become familiar with ETW providers and their use for detection purposes
    • Baseline Analysis: Build a baseline object that protects integrity while profiling network and user behavior
    • Deception: Implement several deception techniques to identify attacker behavior
    • Response - Visibility: Build automation to more quickly understand context around an event
    • Response - Containment: Build automation to more quickly contain threats
    Topics

    Event Tracing for Windows

    • Architecture and Blue Team use cases
    • Providers
    • Trace sessions
    • Packet captures in PowerShell
    • ETW tampering and detection

    Baselining

    • Converting baseline data to objects and storing them securely
    • Strategies to create baselines
    • Types of baselines and implementations
    • PowerShell-based tools for baselining

    Automating Deception

    • Network deception techniques
    • System deception techniques
    • User deception techniques
    • Cloud deception techniques

    Short-term Response - Visibility

    • Network and user-based enumeration
    • Enabling deeper auditing as an ad hoc response
    • Enrichment of existing data

    Short-term Response - Containment

    • Mitigating credential theft impact
    • System containment  process and behavior restriction
    • Network containment
  • Overview

    The final section of SEC586 focuses entirely on hands-on application of the skills built throughout the week. Working in teams, each group must solve challenges ranging from log analysis to containment tactics. Several different challenges with increasing levels of difficulty will require groups to work together, mastering PowerShell from the perspective of Blue Team workloads, and providing a safe environment to work with PowerShell while under pressure. Challenges will ensure a deep understanding of the concepts covered throughout SEC586 while offering a fun and competitive platform to test and further build these skills.

Prerequisites

  • Basic understanding of programming concepts
  • Basic understanding of Information Security principles

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the virtual machine to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

  • CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
  • BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
  • RAM: 8 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
  • USB 3.0 ports highly recommended
  • Disk: 50 gigabytes of free disk space
  • Administrative access to disable any host-based firewall
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
  • A Windows virtual machine will be provided in class

Author Statement

"My Information Security experience has taught me that human analysis is a critical attribute of effective cyber defense. Yet, the very people who are critical to preventing, discovering, and responding to threats are often bogged down with manual work that, while it needs to be done, is done at the expense of more advanced efforts. At the same time, we're facing a critical personnel and skills shortage in Information Security, and many organizations are struggling to fill open positions.

The immediate answer to these problems is automation. PowerShell is a cross-platform automation engine that is uniquely positioned for this task. Blue Teams can transform their everyday operations by automating wherever possible. System auditing and hardening tasks can be streamlined via configuration as code and substantial automation, leaving room for professionals to interpret reporting and work on higher-level tasks. Detection and response tasks can also be significantly improved. Data aggregation and analysis can be performed automatically, leaving analysts with pre-filtered data of interest to aid in detection. For response, a pre-built toolkit can enable near real-time response actions such as quarantining systems on the network, interrogating suspicious hosts for more information, capturing artifacts for forensic analysis, or even automatically remediating common issues.

SEC586 is designed to help teams raise the bar and spend time on what will provide the most value to their organizations. Deep automation alongside capable professionals flips the script and makes organizations a dangerous target for their adversaries."

- Josh Johnson

Register for SEC586

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more

Loading...