On This Page

Adversary Tactics: PowerShell

SpecterOps | August 4-7


Automation is necessary to be efficient and successful in security for both offensive and defensive teams. Furthermore, with the rapid pace of migration to cloud infrastructure, the need to interact with infrastructure through automation is more important than ever. PowerShell is the language and shell that drives automation across the Windows and Azure ecosystem. Sitting on top of the massive .NET class library, there is very little that cannot be done in PowerShell. Today, PowerShell is relied upon by red teams, threat hunters, incident responders, penetration testers, criminals, and nation-state adversaries alike. Before robust detection capabilities were widely deployed, PowerShell was also the tool of choice for attackers to evade detection. Between the modern security features offered and the fact that most AV/EDR solutions have a PowerShell prevention/detection component, it is imperative that both red teamers and blue teamers understand the defensive landscape when building and using tools within the language.

This class is designed to teach students already comfortable with the basics of PowerShell to take full advantage of the unique benefits it offers security professionals. Since the introduction of version 5, the security optics and preventative controls of PowerShell are unparalleled. Students will learn how to configure, audit, monitor, and bypass every preventative and detective control that PowerShell has to offer. Students will walk away with a profound appreciation of PowerShell's capabilities, strong security enforcement and optics, as well as the extent of its unique, post-exploitation attack surface. In addition, they will also learn the methodology attackers use to research and develop security feature bypasses and stealthy tradecraft. Finally, students will become even more comfortable using PowerShell and identifying when it's the right tool for the job and when it's not.

Defenders must know the reality of how attackers subvert security controls, and mature offensive security testers must know the defensive landscape in which they must tread carefully. This class will serve as a deep dive into PowerShell security capabilities. Every topic presented in class will follow the theme of "for every action, there is an equal and opposite reaction" whereby mitigations, detections, and bypasses will be discussed for nearly every topic covered.

By then end of the course, students will feel confident finding their own previously unpublished security feature bypasses and techniques and then subsequently build opposing detections and mitigations.

The following topics will be covered in this course:

Day 1:
  • Motivations/Goals
  • PowerShell Basics Refresher
  • PowerShell Remoting
  • PowerShell Without PowerShell
    • 3rd party, alternate PowerShell hosts
    • Supported Microsoft PowerShell hosts
    • Unintended Microsoft PowerShell hosts
    • Command-line logging evasion

Day 2:
  • Windows Management Instrumentation (WMI)
    • Interacting with WMI
    • Querying WMI and discovery
    • Eventing
    • Attacks/defenses
  • Active Directory
    • Interacting with Active Directory
    • LDAP search filters
    • Active Directory ACLs
    • Command and control
    • PowerView "PowerUsage"

Day 3:
  • Reflection
    • Internal .NET member access/invocation
    • In-memory .NET assembly loading
    • Add-Type internals, host footprint, and evasion strategies
    • Dynamic code generation
  • Low-level, Win32 Interop
    • P/Invoke and Win32 API basics
    • Borrowing internal methods
    • PSReflect

Day 4:
  • PowerShell Prevention - Implementation, Auditing, and Bypasses
    • Constrained Language Mode
    • Just Enough Administration (JEA)
    • Downgrade attack mitigation
    • Anti-malware Scan Interface (AMSI)
    • Exploiting code injection vulnerabilities
    • Code signing and trust enforcement
  • PowerShell Detection - Implementation, Auditing, and Bypasses
    • Classic and modern event logs
    • Event Tracing for Windows (ETW)

Who Should Take this Course

This class is intended for attackers and defenders wanting to learn how to effectively wield PowerShell for their operations. It is also intended for those wanting to learn how to research and develop their own PowerShell security feature bypasses.

Student Requirements

Students are expected to have the following:
  • A basic level of comfort/familiarity with PowerShell.
  • A minimal background in C#/.NET is ideal in order to effectively digest advanced PowerShell tradecraft and security feature bypass methodology. We will be using dnSpy (a .NET decompiler) heavily in day 3 and 4.
  • A willingness to learn and to get your hands dirty in intensive labs!

What Students Should Bring

  • The ability to connect to the internet and connect to a VM over RDP (and optionally, PowerShell remoting – port 5985)
  • A Windows 10 VM (preferably Windows 10 Enterprise for the Device Guard bypass lab).

What Students Will Be Provided With

Students will be provided connections into the labs and all course materials in PDF form.


Matt Graeber is a security researcher and reverse engineer who specializes in the advancement of attacker tradecraft and detection. He has a varied background in red team operations, vulnerability research, and malware reverse engineering. Matt has presented at many industry conferences including Black Hat, DEF CON, Microsoft BlueHat, DerbyCon, BSides, and various PowerShell conferences. Matt is recognized as a Microsoft MVP and is the author of various tools including PowerSploit, PowerShellArsenal, PSReflect, and CIMSweep. He maintains his blog at http://www.exploit-monday.com.

Matt Nelson is an active red teamer and security researcher. He brings a passion for researching and pushing new offensive and defensive techniques into the security industry. He is the primary developer on the PowerSCCM toolkit, a co-developer on the Empire framework, and contributes to many other open source security projects. Matt has spoken at numerous security conferences, and has been recognized by Microsoft for his discovery of new offensive techniques and bypasses. He maintains his blog at http://enigma0x3.net.