PowerShell-based automation provides a unique, cross-platform mechanism for improving Blue Teams' speed of execution. This course section begins with a discussion on best practices to ensure code is highly functional, readable, and supportable. Students will leave with a deep understanding of how PowerShell works under the hood, but also with a sense of how to build tools that can be supported by team members less familiar with PowerShell.
This section transitions into taking the fundamentals and executing them at scale. PowerShells remoting capabilities are flexible and nuanced, allowing for fine-tuning of code that needs to be executed against a fleet of systems. This section discusses PowerShell remoting capabilities and how to best use them to accomplish Blue Team use cases, from analysis and triage to response.
Next, a performance section addresses important aspects of PowerShell. Given its object-oriented nature, PowerShell is sometimes criticized for poor performance. However, if you understand the fundamentals, it becomes clear that very simple tweaks can optimize performance and reduce the overhead associated with these critiques. This section discusses optimizing code so that it is efficient both locally and once scaled out to a fleet of systems.
The section continues into building integration with other systems. With modern API-driven orchestration, PowerShell can glue together multiple systems for better troubleshooting, investigation, detection, and response. This understanding can unlock functionality that would not otherwise be possible between disparate systems.
Finally, protection, analysis, triage, and response techniques driven by PowerShell are enabled by Interactive Notebooks where analysts can combine documentation and executable code. Jupyter Notebooks and VS Code's .NET Interactive Notebooks are leveraged to help build PowerShell-based tooling that can be understood and executed by even novice analysts unfamiliar with PowerShell.
- PowerShell Remoting: Understand how to run remote commands in a way that scales, and build a model for secure remote access
- Writing Usable PowerShell: Measure the impact of poorly versus well-written PowerShell, and leverage jobs and runspaces and compare performance
- Integrating Technologies: Build an API-based integration
- Interactive Notebooks: Build a triage notebook using VS Code and Jupyter
- Maximizing readability and reusability of code
- Designing tools with modularity in mind
- Handling unexpected conditions when working at scale
- PowerShell remoting basics and the underlying protocols
- Running remote commands
- Managing remote sessions
- Remoting endpoints/constrained endpoints
- Enabling WinRM-based and cross-platform remoting
- Designing around the double-hop problem
- Coding techniques to maximize PowerShell performance
- Remoting performance tweaks
- Concurrency using native features
- Making HTTP requests
- Handling session tokens
- Non-HTTP based integrations
- Jupyter Notebooks use cases
- PowerShell on Jupyter/.NET Interactive
- Use cases and implementation