PowerShell Forensics Class

Even for seasoned PowerShell users, a deep and robust understanding of the language fundamentals can be incredibly powerful for writing more efficient, readable, and usable code. Section 1 of the course focuses on building a solid foundation upon which more complex use cases can then be constructed. With a focus on Blue Team specific functions, well frame the discussion around the PowerShell basics in terms that will be immediately useful for students. For example, common data structures are discussed as a fundamental aspect of PowerShell and immediately applied as Blue Team triage and analysis tactics. This base is built from the ground up and accessible to students with no prior scripting experience, but with enough nuance to shed light on the "why does it work this way" question for more seasoned PowerShell users. For professionals already familiar with the basic concepts, PowerPlay offers an interactive, out-of-band challenge system for students to drill various concepts and techniques related to the course material.

This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
Machines a Dual Core 16M Ram, 1TGig drives, running MS OS, linux, and VMWare Workstation.

This course Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component to facilitate these capabilities, and PowerShell can be the glue that holds together and enables the orchestration of this process across disparate systems and platforms to effectively act as a force multiplier for Blue Teams. This course will enable Information Security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.

Now that we have a strong understanding of the fundamentals, this course section focuses on ways to weaponize PowerShell both from an offensive and defensive perspective. The section begins with a focus on offensive PowerShell use cases. Threat actors have long used PowerShell as an attack platform, delivering fileless malware and living off the land using built-in capabilities. The next section turns this discussion around and focuses on the Blue Team aspects of controlling PowerShell execution.
The section then dives deep into log analysis and data parsing and discovery. The goal is to maximize the utility of native features of operating systems and applications while fully understanding how to find important data. If Blue Teams can identify sensitive data in unexpected locations, those data can be handled or protected properly. The section concludes with a discussion of PowerShell as a platform to enable Blue Teams to work within DevOps development practices. As modern development teams transition practices, Blue Teams must adapt. Automation plays an important role in this process, as Blue Teams fight to scale capabilities to match modern development frameworks. PowerShell provides this automation platform and can be the catalyst to enable continuous assurance of critical business services. PowerShell is uniquely positioned for this task of enabling Blue Teams. It acts as an automation toolset that functions across platforms and it is built on top of the .NET

Students will learn:

• PowerShell scripting fundamentals from the ground up with respect to the capabilities of PowerShell as a defensive toolset
• Ways to maximize performance of code across dozens, hundreds, or thousands of systems
• Modern hardening techniques using Infrastructure-as-Code principles
• How to integrate disparate systems for multi-platform orchestration
• PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation to deception
• Incident Response techniques leveraging PowerShell-based automation

This course is meant to be accessible to beginners who are new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in-depth, with hands-on labs to enable beginning students to become comfortable with the platform. For skilled PowerShell users who already know the basics, the material is meant to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.
The PowerPlay platform built into the lab environment enables practical, hands-on drilling of concepts to ensure understanding, promote creativity, and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions mapping back to and extending the course material. Between the course material and the PowerPlay bonus environment, students will leave the course well equipped with the skills to automate everyday cyber defense tasks. You will return to work ready to implement a new set of skills to harden your systems and accelerate your capabilities to more immediately detect and respond to threats.

Exercises - Hands-on PowerShell: Get comfortable with PowerShell cmdlets, objects, and the pipeline to start making meaningful tools. Triage the VM: Quickly understand the state of a system, from networking details to process execution and removable devices Scripting in PowerShell: Leverage an understanding of the language basics to build high-quality tooling that will be supportable by Blue Teams. Debugging: Save time and frustration, easily identifying complex bugs in PowerShell through built-in debugging capabilities and Pester tests Source Control: Become familiar with Git concepts to effectively manage version control