Pentesting with PowerShell

מק"ט: #71559 | משך קורס: 40 שעות אק'
| מספר מפגשים: 5

This 5 days hands-on training is designed to learn step by step how Windows PowerShell can be used both to hack common Windows components (including passwords, Windows applications, Active Directory etc), as well as to secure and protect your environment. You will take PowerShell to the next level, with tips, best practices & using some advanced & hardly documented techniques to get the most of your IT environment.

*שדות חובה
PDF version


What you will learn:

  • Working with tools and techniques in PowerShell for penetration testers
  • learn how to use PowerShell for network scanning and reconnaissance
  • learn how to use PowerShell for exfiltration of domain networks
  • learn how to use Powershell for post exploitation 

קהל יעד

  • Pentesters for Windows environments
  • Blue teamers for Windows networks
  • IT Professionals
  • Security professionals & vendors
  • DevOps professionals with good PowerShell knowledge who wish to dive deep into Security-Related Ops 

תנאי קדם

  • Basic use of PowerShell and/or other languages (Perl, bash, Python etc)
  • Understanding & working with tcp/ip protocols (DNS, HTTP, LDAP, RPC, CIFS etc)
  • Experience Installing and Configuring Windows Server into existing enterprise environments, or as standalone installations.


Part 1: Windows PowerShell – Introduction, Tips & Best Practices

  • Understand & demonstrate scripting basics – variables, loops, parameters etc
  • What is Powershell & how it works
  • Working with the pipeline to sort, select, filter, convert, import etc
  • Working with files, grouping, performance tips and more

Part 2: Script & Code execution – Myth & reality – Drill down

  • People, technologies, processes – understand how powershell can help in all 3 pillars of modern cyber security
  • Execution policies – run signed scripts: config, bypass, myth & reality
  • 'Assume breach' mindset – powershell capabilities to help fulfill it
  • PowerShell logging
  • Powershell Auditing (input & output)
  • Module logging
  • Script block logging & protected script block logging (using Crypto MEssages)
  • Powershell and AMSI and msmpEng
  • Command Injection
  • Tips for the blue team (forensics / SIEM / SOC approach)


Part 3: Working with APIs & .NET

  • Know your options – running Powershell code from Cmdlets, CMD tools, Native Win32 APIs, WMI , COM objects , .NET – Direct, assemblies, code etc
  • WMI & powershell – drill down
  • Applocker & constrained Powershell
  • Language modes in PS v5.x
  • Under the .NET framework hood – running code without powershell.exe
  • Going 'Stealth' – use "powershell" to run exe in memory without touching disk and no powershell process(es) launched


Part 4: Using Base64 encoded strings & secure strings

  • Working with base64 strings – advantages & disadvantages for pentesting, in terms of technique, DLP engines detection etc.
  • What do DLP/AV engines look for? How to infiltrate with base64 successfully
  • Secure strings – delivering hashed string with DPAPI
  • Encrypting & Decrypting secure strings & file content for operations


Part 5: Hacking & Securing Remote Operations

  • The 'Boolean admin' concept – all or none, management tools used as attack tools, "living of the land" concept
  • Walkthrough of remote admin tools & their issues, pros and Cons
  • Using PSRemoting – concepts, Architecture, advantages for pentesters
  • Best practices for working with PSRemoting in the field, performance, multi-hop etc
  • Avoiding detection & implementing blue team mechanisms to detect connections & their full info
  • Enabling PSRemoting – all the options (locally and remotely)
  • Just Enough Administration – concept, config, and deployment of RBAC (Rule based access control) for Remote Admin
  • Running PSJobs across multiple machines in the domain
  • Utilizing scheduled tasks & WMI for remote Interactive shell operations

Part 6: Active Directory Security - Intro to lateral movement

  • Quick recap of Security related concepts – Kerberos, NTLM, hash types, SAM etc
  • Querying Account Logon events effectively with PowerShell
  • Logon types & Failed logons types
  • Working with the AD cmdlets
  • Mapping your penetrated AD with no module dependencies
  • Solving Kerberos delegation issues


Part 7: Penetration Frameworks

  • Understand and explore different frameworks such as PowerSpolit, PowerMemory, PowerView, PowerShell Suite, P0wnedShell etc


Part 8: Exploit Scenario

  • Understand pentesting stages & how they work
  • Using Powershell in all stages of the attack – advantages and what to look out for
  • Understand PTH (Pass the hash), PTT (pass the ticket) etc
  • Full exploit scenario into an AD domain, from Reconnaissance / Network Scanning / AD info dumps etc -> Payload prep -> inject PowerShell code into shortcuts, applications etc -> Infiltration (social eng., backdoors – http/wmi/sockets etc) -> Exfiltration & persistence e.g. wmi event subscriptions, Elevated privilege attempts (exploits, dump creds, key logging, etc), gpo pass, AD group and privileged users, bloodhound, lateral movement with local admin -> accessing remote Shell -> File download and execution -> Get flag 
  • Workshop summary