Join us for in-depth talks, exclusive networking, and world-class training at Security Awareness Summit Dec 1-4!

SANS 2020 - Live Online

Virtual, US Eastern | Fri, Apr 3 - Fri, Apr 10, 2020

SEC505: Securing Windows and PowerShell Automation New

Sun, April 5 - Fri, April 10, 2020

Associated Certification: GIAC Certified Windows Security Administrator (GCWN)


In SEC505 you will learn how to:

  • Write PowerShell scripts for Windows and Active Directory security automation
  • Safely run PowerShell scripts on thousands of hosts over the network
  • Defend against PowerShell malware such as ransomware
  • Harden Windows Server and Windows 10 against skilled attackers

In particular, we will use PowerShell to secure Windows against many of the attacks described in the MITRE ATT&CK matrix, especially stolen administrative credentials, ransomware, hacker lateral movement inside the LAN, and insecure Windows protocols such as Remote Desktop Protocol (RDP) and Server Message Block (SMB).

You will leave this course ready to start writing your own PowerShell scripts to help secure your Windows environment. It's easy to find Windows security checklists, but how do you automate those changes across thousands of machines? How do you safely run scripts on many remote boxes? In this course you will learn not just Windows and Active Directory security, but how to manage security using PowerShell.


There is another reason why PowerShell has become popular: it's just plain fun! You will be surprised at how much you can accomplish with PowerShell in a short period of time - it's much more than just a scripting language, and you don't have to be a coding guru to get going.

Learning PowerShell is also useful for another kind of security: job security. Employers are looking for IT people with PowerShell skills. You don't have to know any PowerShell to attend this course, we will learn it together during the labs.

You can learn basic PowerShell syntax on YouTube for free, but SEC505 goes far beyond syntax. In this course you will learn how to use PowerShell as a platform for managing security, as a "force multiplier" for the Blue Team, and as a rocket booster for your Windows IT career.


Unfortunately, PowerShell is being abused by hackers and malware authors. On the last day of the course, we will write our own ransomware script to see how to defend against such scripts.

This is a fun course and a real eye-opener, even for Windows administrators with years of experience. Come have fun learning PowerShell and Windows security at the same time. While SEC505 has had at least one day of PowerShell for more than 10 years, PowerShell is now the centerpiece of the course.

The course author, Jason Fossen, is a SANS Institute Fellow and has been writing and teaching for SANS since 1998.

Topic Highlights

  • PowerShell scripting of Windows Management Instrumentation (WMI)
  • PowerShell remote command execution
  • PowerShell Core with OpenSSH
  • PowerShell Just Enough Admin (JEA)
  • PowerShell scripting of Active Directory
  • PowerShell scripts to replace Microsoft LAPS
  • PowerShell Certificate Authentication, such as with YubiKeys
  • PowerShell hardening of Kerberos, DNS, TLS, RDP, and SMB
  • PowerShell malware and lateral movement inside the LAN
  • PowerShell ransomware - too easy, all too easy!

Course Syllabus

Jason Fossen
Sun Apr 5th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


The first section of the course covers what you need to know to get started using PowerShell. You don't need to have any prior scripting or programming experience. We have PowerShell labs throughout the week, so today is not the only PowerShell material. We start with the essentials, then go more in-depth as the week progresses. Don't worry, you won't be left behind, the PowerShell labs walk you through every step. If you already have PowerShell experience, then there will also be intermediate topics for you.

Most of the labs during the course are PowerShell, while the rest use graphical security tools only when necessary, such as when there is no PowerShell equivalent.

PowerShell Core is different than Windows PowerShell. PowerShell Core is the new, cross-platform version of PowerShell for Windows, Linux, and macOS. The full source code of PowerShell Core is in GitHub. PowerShell Core has built-in integration with OpenSSH. We will use both Windows PowerShell and PowerShell Core in this course.

As more of our systems move up to the cloud, PowerShell will become even more important. Amazon Web Services, Microsoft Azure, Office 365, Hyper-V, and VMware already support PowerShell administration for many tasks. Learning PowerShell is good for managing network security, and it's also good for job security because enterprises need professionals with these skills.

Your course USB drive will include over 200 PowerShell scripts written by the course author. All the PowerShell code shown in the manuals during the week will be on your USB drive. All the scripts are in the public domain for your personal or business use without restriction.

CPE/CMU Credits: 6


PowerShell IS Dangerous (and Fun)

  • PowerShell is like simplified C#
  • Piping .NET and COM objects, not text
  • The backbone of Windows and Azure automation
  • Graphical admin tools wrapped around PowerShell
  • Built-in remote script execution

Writing Your Own Scripts, Functions, and Modules

  • Passing arguments into your scripts
  • Cmdlets, functions, and aliases in your profile script
  • Flow control: if-then, do-while, foreach, switch
  • The .NET Framework class library: a vast playground
  • How to pipe data in/out of your scripts
  • How to create your own module script

Up and Running Quickly with PowerShell

  • Capturing the output of commands
  • Parsing text files and logs with regex patterns
  • Mounting the registry as a drive
  • Importing third-party modules and functions

Piping Objects Instead of Text

  • Classes, objects, properties, and methods
  • An array of objects is like a table of SQL records
  • Extracting just the properties you want
  • Exporting objects to CSV, HTML, XML, and JSON files
  • Filtering, sorting, and grouping objects (not text)

Jason Fossen
Mon Apr 6th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


How can we run PowerShell scripts on thousands of systems with just a few lines of code? Today's class is about remote command execution using PowerShell Remoting, the Secure Shell (SSH) service on Windows, the Task Scheduler service, and boot-up scripts assigned through Group Policy.

OpenSSH is not just for Linux. Windows now has built-in support for SSH as both a client and server. PowerShell Core has native support for SSH too. You don't need PuTTY anymore.

PowerShell Remoting is encrypted remote command execution of PowerShell scripts in a way that can scale to thousands of workstations and servers. It is vastly better than PSEXEC.EXE. Remoting traffic can be encrypted with SSL/TLS, IPsec or SSH, and authenticated with a smart card or YubiKey.

But power is always a double-edged sword. PowerShell Remoting can be abused by ransomware and hackers. Can we limit which groups use PowerShell Remoting and restrict the commands each group is permitted to run? Yes, it's called Just Enough Admin (JEA) for PowerShell. JEA allows non-admin users to remotely execute commands with administrative privileges, but without exposing any administrative credentials to them (kind of like setuid root on Linux). With JEA, all PowerShell commands are blocked by default except for those commands you explicitly allow. Graphical applications, such as Microsoft's Windows Admin Center (WAC) web application, can also be built on top of PowerShell JEA.

While PowerShell Remoting and SSH are great, they still don't scale enough. If you need to run dozens of PowerShell scripts on tens of thousands of hosts every night (or every hour), then you need the Task Scheduler service. The built-in Task Scheduler service can be remotely managed through PowerShell and Group Policy. Ransomware often uses the Task Scheduler as well. We will see how to run scheduled PowerShell scripts with elevated privileges while protecting administrative credentials.

You might already be familiar with Group Policy, but today's course emphasizes the PowerShell capabilities of Group Policy. We can use Group Policy to push out PowerShell scripts to thousands of hosts and have the scripts executed hands-free, even if no one is logged on. These scripts can then return data back to us through shared folders, syslog packets, or SIEM logging.

Today's PowerShell remote command execution material is often shocking to administrators. The potential for both good and evil is enormous!

CPE/CMU Credits: 6


PowerShell Remoting

  • Remote command shells with PowerShell
  • Smart card and YubiKey authentication
  • Using SSL/TLS, SSH or IPsec to encrypt traffic
  • Remote command execution in scheduled tasks
  • File upload and download using the PowerShell Remoting protocol
  • Graphical apps can use PowerShell remoting too

OpenSSH on Windows

  • Can Windows be an SSH server? Yes!
  • OpenSSH support is now built into Windows
  • PowerShell Core integration with SSH
  • Hardening SSH for Internet use
  • Key-based SSH authentication and password managers

PowerShell Just Enough Admin (JEA)

  • JEA is like setuid root on Linux
  • Restricting PowerShell commands and arguments
  • Verbose transcription logging of commands
  • How to set up and configure JEA
  • JEA for Privileged Access Workstations

PowerShell, Group Policy, and the Task Scheduler

  • Deploying PowerShell startup and logon scripts
  • Group Policy scheduled tasks to run PowerShell scripts
  • The Task Scheduler service and admin credentials
  • WMI item-level targeting of PowerShell scripts

Jason Fossen
Tue Apr 7th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


PowerShell is deeply integrated into the Windows Management Instrumentation (WMI) service. Many PowerShell commands are just wrappers for WMI functions. Hackers love the WMI service too, but for the wrong reasons.

The WMI service is enabled by default and accessible over the network. With our PowerShell WMI scripts we can remotely execute commands, reboot machines, forcibly log users off, kill processes, and much more. Today, we will see how to do all this. WMI scripting is a bit difficult, but we'll go through all the strange namespaces and classes together.

Today we will also use PowerShell to search, manage, and secure Active Directory. With PowerShell we can find abandoned user accounts and disable them. We can enforce our desired group memberships with scheduled scripts. We can reset passwords on thousands of user accounts. And when hackers are brute-forcing passwords, our PowerShell scripts can find the accounts being targeted. Of course, malicious insiders can do much of the same, such as with the Bloodhound tool, so how can we restrict what users can see or change?

Every object in Active Directory has permissions and audit settings. Instead of simply adding everyone in the IT department to the Domain Admins group, we can more precisely delegate authority at the organizational unit level. Whether using PowerShell or graphical tools, these Active Directory permissions are always enforced by the domain controller.

Don't use Microsoft LAPS! There are better ways to protect admin passwords. We can use PowerShell to manage domain accounts in Active Directory, but we can also use PowerShell to manage local admin accounts and passwords on servers and workstations in a way that is better than Microsoft LAPS. Today we will do a better-than-LAPS PowerShell lab, and you're welcome to use these scripts instead of LAPS on your networks after the conference.

Is PowerShell only for scripts and command shells? No! Windows Admin Center (WAC) is a free Microsoft web application for remote administration with your web browser. WAC uses both WMI and PowerShell Remoting under the hood. It's a great example of how Microsoft is wrapping PowerShell with graphical tools to manage machines both on-premises and in Azure. We will install WAC and see the PowerShell functions it exposes.

CPE/CMU Credits: 6


PowerShell for WMI

  • What is WMI and why do hackers abuse it so much?
  • Remote command execution through WMI
  • Using PowerShell to query WMI namespaces and classes
  • WMI service authentication and traffic encryption
  • Gathering reconnaissance data from remote systems
  • Microsoft Windows Admin Center web application
  • WMI logging for hacker and malware visibility

PowerShell for Active Directory

  • Querying and managing Active Directory with PowerShell
  • Enforcing desired Domain Admins group membership
  • Disabling abandoned user accounts and resetting passwords
  • Detecting password brute-force attacks
  • Searching organizational units using filter criteria
  • ADSI Edit and other helper tools for PowerShell
  • Active Directory Administrative Center

Active Directory Permissions and Auditing

  • Active Directory objects have permissions
  • Active Directory objects have auditing
  • Limit what PowerShell scripts can do in Active Directory
  • Log what PowerShell scripts are doing in Active Directory
  • Delegate authority at the organizational unit level instead
  • Designing Active Directory for the inevitable breach

Jason Fossen
Wed Apr 8th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Today we will use PowerShell and Group Policy to automate the hardening of many exploitable services and protocols, such as Kerberos, Domain Name System (DNS), Remote Desktop Protocol (RDP), and file and printer sharing (using SMB). Think of Kerberos Golden Tickets, DNS response spoofing, the Bluekeep RDP attack, the EternalBlue/WannaCry SMB worm, and other attacks.

PowerShell is the primary tool for configuring and hardening Windows Server, Server Core, and Server Nano, especially when hosted in Azure or Amazon Web Services. Today we will see how to use PowerShell to install roles, manage services, apply Group Policy Objects to stand-alone servers (yes, that is possible), and accomplish other security tasks. Along the way, we will learn new PowerShell techniques as well.

Host-based firewalls can block the lateral movement of hackers inside the LAN and the outbound connections of malware as that malware "beacons" or "phones home." On mobile devices, we must do host-based packet filtering because mobile devices roam outside the LAN where the perimeter firewall cannot protect them. The trick is being able to apply different sets of firewall rules to different sets of machines in a scalable, repeatable, and automated way. This is what we will do with PowerShell and the built-in Windows Firewall.

IPsec is not just for Virtual Private Networks (VPNs)! In fact, we won't discuss VPNs at all today. The built-in Windows IPsec driver can authenticate users in Active Directory in order to implement share permissions for our TCP/UDP listening ports based on our users' global group memberships in Active Directory. Imagine using a PowerShell script to configure the Windows Firewall on your workstations and servers to only permit access to their RPC, RDP, or SMB ports if (1) the remote computer is pre-authenticated by IPsec to be a member of the domain, (2) the user is pre-authenticated to be a member of the Domain Admins group, (3) the packets are all encrypted with 256-bit AES, and (4) the client has an IP address from an authorized subnet. This is not only possible, today's course will show you exactly how to do it with PowerShell!

CPE/CMU Credits: 6


Server Hardening Automation for DevOps

  • Replacing Server Manager with PowerShell
  • Adding and removing roles and features
  • Remotely gathering an inventory of roles and features
  • Why use Server Nano or Server Core?
  • Running PowerShell automatically after service failure
  • Service account identities, passwords, and risks
  • Tools to reset service account passwords securely

Windows Firewall Scripting

  • PowerShell management of Windows Firewall rules
  • Blocking malware outbound connections
  • Role-based access control for listening ports
  • Deep IPsec integration for user authentication
  • Firewall logging to the event logs, not to text logs

Share Permissions for TCP/UDP Listening Ports with IPsec

  • PowerShell management of IPsec rules
  • IPsec for blocking post-exploitation lateral movement
  • Limiting access to ports based on global group membership
  • IPsec-based encrypted VLANs
  • IPsec is not just for VPNs!

Exploitable Protocols and Services

  • Kerberos Tickets
  • Remote Desktop Protocol attacks
  • SMBv3 native encryption vs. Wireshark
  • NTLM, NTLMv2, and Kerberos
  • DNS sinkholes for malware and threat detection
  • DNS Denial of Service attacks and response rate limiting

Jason Fossen
Thu Apr 9th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


Smart cards and smart tokens, such as YubiKeys, are the gold standard for multi-factor authentication. Today we will use PowerShell to install a certificate server that can be used to deploy smart cards and smart USB tokens. Smart cards and tokens can be used for PowerShell Remoting, signing PowerShell scripts, Remote Desktop Protocol (RDP) logons, User Account Control (UAC), ASP.NET web application logons, and more.

Everything you need to roll out a full smart card/token solution for your administrators is included with Windows, except for the cards and tokens themselves. PowerShell and Group Policy make it relatively easy.

If you have a Trusted Platform Module (TPM) chip in your laptop or tablet, the TPM can also be used as a built-in smart card. TPM-based smart cards are invisible to users, requiring little or no training, similar to the security processors in Apple iPhones. TPMs also protect biometric data, encrypt BitLocker keys, and help to enhance Windows 10 Credential Guard.

PowerShell Remoting network traffic can be encrypted with SSL/TLS. The target server is authenticated with its certificate, just like a web server using HTTPS. The user can be authenticated with his or her certificate too, preferably stored on a smart card or token. Today we will configure PowerShell Remoting to use SSL/TLS and require a smart card or token from the user. These same certificates and smart cards can be used for RDP too.

Your organization will need certificates for many other purposes. In today's course we will sign PowerShell scripts, install an Online Certificate Status Protocol (OCSP) responder for revocation checking, configure auto-enrollment for hands-free certificate installation and renewals, use PowerShell to audit and manage trusted root Certificate Authentication on endpoints, and more.

CPE/CMU Credits: 6


Certificate Authentication and TLS Encryption for PowerShell

  • Certificates for smart card authentication of PowerShell remoting
  • Certificates for TLS encryption of PowerShell remoting
  • Certificates to sign PowerShell scripts for AppLocker
  • Certificates for TLS encryption of WMI queries with PowerShell
  • Certificates to encrypt admin passwords (instead of LAPS)
  • Certificates for web servers, domain controllers, and everything else

Install a Windows Certificate Server with PowerShell

  • PowerShell installation script for Public Key Infrastructure (PKI)
  • Managing digital certificates with PowerShell
  • Custom certificate templates in Active Directory
  • Controlling certificate auto-enrollment
  • Setting up an OCSP responder web farm
  • Configuring Certificate Revocation List publication

Deploying Smart Cards, Smart Tokens, and TPM Virtual Smart Cards

  • The gold standard for multi-factor authentication is a smart card/token
  • YubiKey smart tokens for logon, PowerShell remoting, and much more
  • TPM virtual smart cards
  • Safely enroll tokens and cards on behalf of other users
  • How to revoke compromised certificates
  • PowerShell script to audit trusted root Certificate Authentication
  • PowerShell script to delete hacker certificates

Security Best Practices

  • Protect the private keys of your certificates from malware
  • How to use PKI smart cards and smart tokens
  • How to encrypt private keys on the hard drive
  • Hardware Security Module for Certificate Authentication
  • How to digitally sign PowerShell scripts
  • SSL is dead, long live TLS
  • TLS cipher suite optimization

Jason Fossen
Fri Apr 10th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


On the final course day we will write a PowerShell ransomware script and unleash it inside our training Virtual Machine (don't release it into the wild, you'll go to federal prison). The purpose of this ethical hacking is to discuss defenses against this kind of PowerShell abuse.

How can we secure PowerShell itself? PowerShell is not a single tool. There is no one registry value or patch to magically make PowerShell "secure," but there is a lot we can do. Today we will cover many defensive techniques to prevent future compromises, reduce the harm we suffer after a compromise, and gain visibility into PowerShell malicious activity for the sake of forensics, incident response, and threat hunting.

Because we want to automate our hardening work, we will also roll our defensive changes into a DevOps PowerShell script for building new servers or workstations, including all the networking settings. This will be a nice capstone to pull together all the PowerShell material from the prior days of the course. The aim is to be able to reconfigure a Windows machine with as little manual labor as possible. When in doubt about whether a computer has been infected with malware, we should be able to "nuke it from orbit" by rebuilding that machine from scratch.

Most importantly, we must prevent PowerShell malware from acquiring administrative credentials. Malware can scrape credentials out of memory for privilege escalation and lateral movement to other machines, such as with pass-the-hash and Kerberos Golden Ticket attacks. Once ransomware steals the credentials of a Domain Admin, it's GAME OVER.

To help defend against pass-the-hash attacks and token abuse, we will cover LSASS memory protections, Credential Guard, Remote Credential Guard, restricting network logon rights, User Account Control (UAC), RDP Restricted Admin Mode, Windows Hello Biometrics, and more. All these settings can be applied or audited with PowerShell scripts.

From a defender's perspective, PowerShell is great. As opposed to C++ hacker tools, we want our adversaries to use PowerShell. PowerShell transcription logging gives us deep visibility into the tactics of our adversaries. There is a special Anti-Virus Scanning Interface for examining PowerShell malware in memory, even when that malware is obfuscated. We can lock down PowerShell remoting using Just Enough Admin (JEA) sandboxes and enforce AppLocker rules to restrict PowerShell execution.

CPE/CMU Credits: 6


PowerShell Ransomware

  • Ransomware, cyber insurance, and the economics of extortion
  • We will write a PowerShell ransomware script in a lab
  • What can be done to combat ransomware?

Anti-Exploitation Defenses for PowerShell

  • AppLocker for PowerShell
  • Scripting AppLocker with PowerShell
  • PowerShell execution policy
  • PowerShell constrained language mode
  • Anti-Malware Scan Interface
  • Restricting network access to block pivoting
  • Hashing scripts for change detection
  • How to digitally sign our PowerShell scripts
  • The Principle of (Endpoint) Least Privilege
  • Prevent Domain Admin credential theft at all costs!
  • Windows 10 Credential Guard
  • UAC instead of RUNAS.EXE

PowerShell Visibility AND Detection

  • PowerShell transcription logging
  • WMI namespace auditing
  • Windows Event Log audit policies
  • Querying Windows Event Logs with PowerShell

Capstone: DevOps Automation with PowerShell

  • The week in review: putting it all together with PowerShell
  • How to write an all-in-one build script with Operating System hardening
  • PowerShell for roles, features, networking, policies, etc.
  • The future of IT administration is automation
  • We will all need to be "full stack engineers" soon

Additional Information

Please bring the following items with you when you attend SEC505, and carry out the following tasks prior to start of the course:

  • Bring a laptop with 8GB or more of memory and a USB port, with any operating system you prefer.
  • Install your favorite virtualization software (such as VMware Workstation, Hyper-V, VirtualBox, QEMU+KVM, or Parallels) for creating and running virtual machines. For VMware, please use Workstation, not Player. If you are uncertain which to use, try VirtualBox, it's free.
  • Download the free, evaluation version of Windows Server 2019 from Microsoft. This ISO file is free and does not require a license number. Just click on windows server trial eval to find the ISO download on Microsoft's website.
  • Install a Virtual Machine (VM) running the free evaluation version of Windows Server 2019. When you install the Windows Server VM, choose the option for "Windows Server 2019 Datacenter Evaluation (Desktop Experience)." No other special OS configuration is required; just accept all the defaults during installation. If you have any setup questions, please contact SANS at for friendly help.

Do not apply patches or updates to the Windows Server VM.

Please install your Windows Server VM before you arrive, not on the morning of the training. This will ensure that there are no firmware issues or other problems with creating VMs.

Please don'' let your IT department spoil your training experience by giving you a ""oaner laptop" that is too slow or locked down. You must have administrative privileges on the laptop, be able to create VMs, and be allowed to copy files from a USB flash drive.

Setup Questions?

If you have questions about the laptop or VM setup, please contact We are here to help!

What does the "Desktop Experience" option look like when installing Windows Server?

You will see the screen below after you've booted your VM from the Windows Server installation ISO file. Choose the "Desktop Experience" option at the bottom of the list for Windows Server 2019 Datacenter.

Where can I get the free evaluation version of Windows Server 2019?

You can download a free version of Windows Server 2019 from Microsoft as an ISO image file (an ISO file is an exported copy of a CD/DVD disk). Just click on windows server trial eval to find the download link to the ISO file on Microsoft's website. No license number is required.

Bring the ISO file with you on your hard drive when you attend the course.

VMware Workstation prompts me for a license number or I get a license error message! What should I do?

Make sure you have the evaluation version of Windows Server, not the retail version.

When creating the Virtual Machine in VMWare Workstation, it is best to choose the option that says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the VM has been created, not during the initial creation.

After the VM has been created, go to the Settings of that VM and provide the path to the source ISO file. Now, when you start the VM, there should be no evaluation licensing problems. Contact SANS at for friendly help.

Why doesn't SANS just provide attendees with a pre-built virtual machine?

We would if we could! Microsoft does not allow us to redistribute evaluation versions of Windows Server virtual machines, even though the ISO download is free and does not require a license number.

Also, we want you to have your own local VM to take back home with you so that you will not be dependent on Internet access or any other virtualized lab environment.

I have more questions!

If you have any questions about the laptop requirements or Virtual Machine setup, please contact We are here to help!

If you have additional questions about the laptop specifications, please contact

  • Anyone who wants to learn PowerShell automation
  • "Ops" personnel in SecOps/DevOps
  • Blue Team players who were terrified by SEC504
  • Windows endpoint and server administrators
  • Anyone implementing the CIS Critical Security Controls
  • Anyone implementing the MITRE ATT&CK mitigations
  • A general familiarity with Windows Server and Active Directory concepts is presumed, but you do not have to be an expert.
  • You should be comfortable opening a command shell and running scripts with arguments.
  • Prior PowerShell scripting experience is not required. We will learn the essentials of PowerShell coding together.

Related Courses Students Have Taken

SEC401: Security Essentials Bootcamp Style provides a foundation in the essential Windows and Active Directory concepts necessary for this course.

SEC566: Implementing and Auditing the Critical Security Controls presents the overall framework that this course applies to Windows and Active Directory.

SEC504: Hacker Tools, Techniques, Exploits and Incident Handling presents the hacker's perspective, whereas SEC505 examines how to defend against or mitigate many of the Windows attacks described in SEC504. SEC505 is like the defense-only mirror image of SEC504 as it relates to Windows and Active Directory.

  • A USB flash drive with over 200 PowerShell scripts written by the course author, plus security templates and other tools used in the labs.
  • A set of SEC505 manuals that are much more than just slides with some sparse notes. The manuals are written as textbooks with screenshots, lab exercises, and more. In general, SEC505 attendees rarely need to take hand-written notes during seminar, the notes are already in the books.
  • When bundled with the GCWN certification exam, audio recordings of the entire course that you can take with you when the course is over.
  • Write PowerShell scripts for security automation.
  • Execute PowerShell scripts on remote systems.
  • Harden PowerShell itself against abuse, and enable transcription logging for your SIEM.
  • Use PowerShell to access the WMI service for remote command execution, searching event logs, reconnaissance, and more.
  • Use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds (assume breach).
  • Block the lateral movement of hackers and ransomware using Windows Firewall, IPsec, DNS sinkholes, admin credential protections, and more.
  • Prevent exploitation using AppLocker and other Windows OS hardening techniques in a scalable way with PowerShell.
  • Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root.
  • Configure mitigations against pass-the-hash attacks, Kerberos Golden Tickets, Remote Desktop Protocol (RDP) man-in-the-middle attacks, Security Access Token abuse, and other attacks discussed in SEC504 and other SANS hacking courses.
  • Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certificate Authentications (CAs).
  • Harden essential protocols against exploitation, such as SSL, RDP, DNS, PowerShell Remoting, and SMB.

"SEC505 is the gold standard of Windows security training." - Alexander Kotkov, EY

"The best Windows Security course I've attended in 25 years of administering Windows environments. Every time I pick up one of my GCWN books, I learn something new that's immediately applicable to my current situation. A must-have course for any system administrator who is serious about securing their environment." - Armond Rouillard, NES Associates, U.S. Army (retired)

"The SEC505 course content is on point with projects I am currently working on to improve our Windows security posture. The lessons learned will help me achieve my project goals with a high degree of confidence and quality." - Anthony DeVoto, EY

"Home run hit for modern Windows security." - Russ Gritto, ERG

"I loved the course, when I return to the office I am recommending it to the rest of my team." - Alex Fox, Federal Home Loan Bank Chicago

"Invaluable! Every day was directly pertinent to what we are doing at work. I wish I had taken this course many years ago." - Jerry Sanchez, Southwest Research Institute

"Every lesson provides information I can immediately use at work when I return." - Dan Fleischer, MiTek Industries

"It's nice to see Windows training that isn't 'controlled' by Microsoft." - Rich Wessler, West Virginia University

"If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!!" - Matthew Stoeckle, Nebraska Public Power District

Author Statement

"The courses I write for SANS are always guided by two questions: (1) What do administrators need to know to secure their networks? and (2) What should administrators learn to advance their careers as IT professionals? I am neither a Microsoft employee nor a Microsoft basher, so you will not get either kind of propaganda here. My concern is with the health of your network and your career. As a security consultant, I have seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell in seminar. The Securing Windows and PowerShell Automation course is packed with interesting and useful advice that is hard to find on the Internet. We always have a good time, so I hope to meet you at the next training event!"

- Jason Fossen, SANS Faculty Fellow (@JasonFossen)