Learning to ATT&CK and Defend with PowerShell

Understanding How PowerShell May be Used to Perform Various Attacks, and How to Identfiy Them in Your Environment

2.75 (2 reviews)
Network & Security
Learning to ATT&CK and Defend with PowerShell
1.5 hours
Jan 2021
last update
regular price

What you will learn

How to use PowerShell from the perspective of an attacker. (A low-sophisitication one at that)

The ability to set up and implement PowerShell logging and monitoring within a Windows environment.

Understanding how to use pre-existing Logging and Security mechanisms.

Learn the basics of offensive PowerShell use so that you may develop your skills in areas you desire on your own.


As Sun Tzu said: "Know thy enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle."

This course aims to teach basic, offensive tactical concepts, using PowerShell to do so.

  1. Know your adversary. Become familiar with what options are available to an attacker with the ability to execute PowerShell.

    1. Using the MITRE ATT&CK framework as a vehicle to help categorize and contextualize the various attacks and tactics performed by adversaries.

  2. Know your self and your environment by knowing what options are available for identifying PowerShell execution within your environment.

    1. After having seen various offensive tactics, see how these tactics can be detected and monitored for within a Windows environment, using all native (to Windows) tooling.

  3. To be clear, the only way to completely disable PowerShell is through application whitelisting. As such, I recommend focusing your efforts on detection.

The expected learning outcomes for this course are as follows:

  1. Gain a high-medium level understanding of how PowerShell execution occurs on Windows systems in relation to offensive and defensive techniques.

  2. Gain the ability and understanding of how to use PowerShell to perform the various portions of an Attack Lifecycle.

  3. Gain the ability and understanding of detecting and mitigating PowerShell Execution from the position of a defender.

    By the end of the course, one should be able to describe how an attacker may use PowerShell to compromise an organization, as well as being able to explain and implement defenses against such attacks and attackers.

This course specifically covers the following techniques and tactics:

How is PowerShell executed on a Windows system? (What happens beyond the scenes to make PowerShell work?)

How to execute native Windows commands and programs using PowerShell;

Download Cradles, and how they can be used;

Injecting a executable binary into memory and then executing it using PowerShell;

Creating a persistence mechanism using PowerShell Profiles;

Performing Privilege Escalation through Windows service abuse using PowerShell;

Performing Host-based reconnaissance using PowerShell;

Performing Network-based reconnaissance using PowerShell;

Looking for credentials in files, in Windows Credential Manager, and in process memory using PowerShell;(In-Progress)

Using PS-Remoting to remotely login to a Windows machine from a non-domain joined Linux machine;

Using PowerShell to exfiltrate data over the network using TCP, UDP, HTTP and other protocols;(In-Progress)

How to identify the above attacks, while also enabling native-to-Windows logging mechanisms to track the above attacks.



Expected Learning Goals
Course Structure
Just the handout

What Powers PowerShell? How is it Executed?

2nd Intro
What Powers PowerShell?
How is PowerShell Executed? - Methods of Execution
Actually Executing it
Execution Policy
Constrained Language Mode

What Can We Do With PowerShell?

What Can We Do?
Privilege Escalation
Credential Access
Lateral Movement
Defense Evasion

ATT&CK Tactic & Technique Demonstrations

Demonstrations intro
Lateral Movement
Privilege Escalation
Privilege Escalation Demonstration - Unquoted Service Path Abuse

PowerShell Logging for Detection

Detecting & Mitigating PowerShell Execution
Event Logs
Module Logging
Script Block Logging
Transcription Logging
Default Logging Features
FIX: Demonstration of Log Configuration - Registry + GPOs
Review of Available Data and Configured Logging Options

Reviewing Logs For Attacks

Windows Event Viewer
PowerShell Get-WinEvent
Windows Event Forwarding
FIX: Log Analysis Review & Demo

Raising the Bar for PowerShell Execution

Raising the Bar for PowerShell Execution

Final Wrapup & Review

Recap & Review


March 4, 2021
It basically just defined things. It didn't show you how to detect attacks. That was the only reason I wanted this course- To learn how to analyze event logs. Nothing in this was helpful or extended beyond what an average tech savvy person knew. I want a refund.



Learning to ATT&CK and Defend with PowerShell - Price chart


Learning to ATT&CK and Defend with PowerShell - Ratings chart

Enrollment distribution

Learning to ATT&CK and Defend with PowerShell - Distribution chart
udemy ID
course created date
course indexed date
course submited by