On This Page

Advanced PowerShell for Offensive Operations

Veris Group's Adaptive Threat Division | July 30-August 2



Overview

You've just gained a foothold in a high-security Windows environment. Host defenses are in place and you know you're being watched. Would you risk dropping executables into such an environment, or rather should you lay low and use the tools already present? The mindset of "living off the land" is an effective strategy used by many modern sophisticated adversaries and Windows PowerShell is the tool of choice for achieving stealthy objectives.
Already in heavy use by state-sponsored and criminal actors, PowerShell is by far the most powerful attack tool built-in to modern Windows versions. The scripting language, with full access to the .NET framework, enables an attacker to retrofit their malware to never touch disk, evade nearly all anti-virus, create network sockets, interface with the Win32 API, automate all Windows administration tasks, and much more. From a user-mode perspective, there is nothing that PowerShell can't do.

In this class, you will learn to effectively incorporate PowerShell into your offensive tradecraft. This class will covers the gamut from the basics to advanced development techniques, all while focusing on being applicable to offense. Students will also benefit by hearing the war stories of the instructors and gain insight into how they use PowerShell to tackle challenging problems.

The following topics will be covered in this course:

Day 1 - PowerShell Essentials:
  • Cmdlets
  • Pipeline
  • Help
  • PSDrives
  • Variables
  • Objects
  • Coding constructs
  • Functions
  • Modules
  • Profile scripts
  • Performing basic offensive tasks

Day 2 - Hands-on with Offensive Tools:
  • Reconnaissance host, network, active directory
  • PowerView
  • Post-exploitation
  • Persistence
  • PowerSploit
  • Privilege escalation
  • PowerUp
  • Command and control
  • PowerShell Empire

Day 3 - Weaponization and Methodology:
  • Backwards compatibility considerations
  • Remote code execution via WMI and WinRM
  • Script deployment and handling dependencies
  • Building Empire modules
  • PowerShell execution outside of powershell.exe
  • .NET in-memory loading
  • Native binary design considerations for in-memory loading
  • Command-line auditing evasion
  • PowerShell forensic artifacts

Day 4 - Advanced Tool Development:
  • Advanced functions
  • Supporting the pipeline
  • Properly handling output
  • Best practices
  • Low-level PowerShell: interfacing with the Win32 API
  • Developing PSReflect signatures
  • Repurposing malware written in C for PowerShell

Who Should Take this Course

This class is intended for attackers and defenders wanting to learn how to effectively wield PowerShell for their operations.

Student Requirements

Participants should have a background in penetration testing or red/blue teaming including conducting information gathering, completing network enumeration, launching exploits, conducting privilege escalation, gathering post-exploitation information, and developing network foothold activities. Participants should also possess a minimal Windows system administration, Win32 API, and scripting and/or software development background in C, C++, Python, or Ruby, etc. A background in PowerShell is not required but it is highly recommended.

What Students Should Bring

A custom version of the latest Kali Linux image will be provided to participants all exercises will be able to be performed from this virtual machine. Participants will need to bring their own laptop with:
  • Wired network adapter
  • 4GBs of RAM
  • Ability to run a virtual machine (VMWare Player, Workstation, Fusion)
  • The ability to RDP into a remote system
  • An insatiable appetite for learning

What Students Will Be Provided With

Printed course material and lab manuals

Trainers

Matthew Graeber is a researcher and reverse engineer in Veris Group's Adaptive Threat Division where he is tasked with developing unique offensive and defensive capabilities. He has a varied background in malware reverse engineering, exploit development, and offensive software development. Matt is the primary developer of popular PowerShell frameworks including PowerSploit and PowerShellArsenal and has spoken at many leading industry conferences including DEF CON, Black Hat, Microsoft Blue Hat, DerbyCon, BSides, and the PowerShell Summit. Matt holds a Bachelor's degree in Computer Science, holds several industry certifications including Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE), and has been designated a Microsoft "Most Valuable Professional" (MVP) in PowerShell.

Will Schroeder is a researcher and red teamer in Veris Group's Adaptive Threat Division. He has spoken at several industry conferences, including, Shmoocon, Derybcon, and Defcon on topics ranging from domain trust abuse to offensive PowerShell. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has a strong computer science and security background, having worked at two of the leading cybersecurity research labs in the country, Sandia National Labs and SEI/CERT. Will holds a masters degree in information security from Carnegie Mellon University, is an Offensive Security Certified Professional (OSCP), and an Offensive Security Certified Expert (OSCE)

Jared Atkinson is the Hunt capability lead with Veris Group's Adaptive Threat Division. Before working for Veris Group, Jared spent 4 years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the Open Source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI based IDS, and maintains a DFIR focused blog at www.invoke-ir.com.