Learning to ATT&CK and Defend with PowerShell
Understanding How PowerShell May be Used to Perform Various Attacks, and How to Identfiy Them in Your Environment
What you will learn
How to use PowerShell from the perspective of an attacker. (A low-sophisitication one at that)
The ability to set up and implement PowerShell logging and monitoring within a Windows environment.
Understanding how to use pre-existing Logging and Security mechanisms.
Learn the basics of offensive PowerShell use so that you may develop your skills in areas you desire on your own.
As Sun Tzu said: "Know thy enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are sure to be defeated in every battle."
This course aims to teach basic, offensive tactical concepts, using PowerShell to do so.
Know your adversary. Become familiar with what options are available to an attacker with the ability to execute PowerShell.
Using the MITRE ATT&CK framework as a vehicle to help categorize and contextualize the various attacks and tactics performed by adversaries.
Know your self and your environment by knowing what options are available for identifying PowerShell execution within your environment.
After having seen various offensive tactics, see how these tactics can be detected and monitored for within a Windows environment, using all native (to Windows) tooling.
To be clear, the only way to completely disable PowerShell is through application whitelisting. As such, I recommend focusing your efforts on detection.
The expected learning outcomes for this course are as follows:
Gain a high-medium level understanding of how PowerShell execution occurs on Windows systems in relation to offensive and defensive techniques.
Gain the ability and understanding of how to use PowerShell to perform the various portions of an Attack Lifecycle.
Gain the ability and understanding of detecting and mitigating PowerShell Execution from the position of a defender.
By the end of the course, one should be able to describe how an attacker may use PowerShell to compromise an organization, as well as being able to explain and implement defenses against such attacks and attackers.
This course specifically covers the following techniques and tactics:
How is PowerShell executed on a Windows system? (What happens beyond the scenes to make PowerShell work?)
How to execute native Windows commands and programs using PowerShell;
Download Cradles, and how they can be used;
Injecting a executable binary into memory and then executing it using PowerShell;
Creating a persistence mechanism using PowerShell Profiles;
Performing Privilege Escalation through Windows service abuse using PowerShell;
Performing Host-based reconnaissance using PowerShell;
Performing Network-based reconnaissance using PowerShell;
Looking for credentials in files, in Windows Credential Manager, and in process memory using PowerShell;(In-Progress)
Using PS-Remoting to remotely login to a Windows machine from a non-domain joined Linux machine;
Using PowerShell to exfiltrate data over the network using TCP, UDP, HTTP and other protocols;(In-Progress)
How to identify the above attacks, while also enabling native-to-Windows logging mechanisms to track the above attacks.