Offensive PowerShell for Red and Blue Teams

(Please contact me at nikhil[dot]uitrgpv[at]gmail[dot]com for more details and schedule.)

Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disk, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.

PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell.

This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment with detailed discussion and use of custom PowerShell scripts in each phase.  Some of the techniques , implemented using PowerShell, used in the course:
- Advanced client side attacks.
- Active Directory trust mapping and abuse.
- Privilege Escalation (User Hunting, Delegation issues and more)
- Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
- Abusing cross forest trust (Lateral movement across forest, PrivEsc and more)
- Abusing SQL Server trust in AD (Command Execution, trust abuse, lateral movement)
- Credentials Replay Attacks (Over-PTH, Token Replay etc.)
- Persistence (WMI, ACLs and more)
- Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
- Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
- Network relays, port forwarding and pivots to other machines
- PowerShell without powershell.exe
- Bypass security controls like App Whitelisting, JEA, ATA etc.
- Enhanced security and logging features in PowerShell v5 (UMCI, CLM, AMSI, Transcription) and their bypasses.

The course is a mixture of demonstrations, exercises, hands-on and lecture.  The training focuses more on methodology and techniques than tools. Attendees will get free one month access to a complete Active Directory environment after the training. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.


"One of the best parts of this training is that all this material is supported by practical hands-on exercises in a fully functional lab environment. Attendees will also retain their access to this lab for a month after the training, allowing them to catch up on things that were not clear during class or to just really master the content of the course. This is a huge bonus in my book, as it really allows you to digest the course contents at your own pace"
Adriaan Neijzen, PricewaterhouseCoopers, Belgium at BruCON 2018

"The training was exactly what I expected and I learned useful things in a domain I have a lack of experience with. In addition the trainer was really good."
BruCON 2018

"The lab is very practical and aligns with real world assessments. The trainer is very experienced. My organization has a regular training budget and this was one of the best classes I have ever attended."
BruCON 2018

"Learned so much! This was a career changing training for me!"
George, 44CON 2018

"Great course from the expert who clearly knows the topic with a lot of experience from the field. Exhausting exercises in the complex online lab environment in ready to use state so no delays building it during the class. One month free access to the lab environment after the course is great opportunity to go over the exercises again."
A student from 44CON 2018

"Loved the PowerShell v5 logging, bypasses and ATA evasion stuff"
Pieter, Private training, 2018

"Really good, engaging lecturer! His enthusiasm was good, he was clearly knowledgeable and he put up with and was able to adapt to disruptions form people being called out admirably"
George Lutz, Private training 2017

"I thoroughly enjoyed getting to grips with some of the tools and techniques used in penetration testing"
Jacob, Private training 2017

"That was an amazing class. I am definitely going to recommending this!"
Valdur, BruCON 2017

"For me it was just the perfect level of difficulty ! I really enjoyed it !"
Marrie, 44CON 2017

"Overall a very good course, well-presented by an expert who was very capable and willing to help."
44CON, 2017

"Great course, trainer clearly knows his topic."
44CON, 2017

"I would highly recommend this course to anyone willing to improve their confidence using PowerShell and to practice common (and uncommon) AD attacks. I have definitely gotten better at it since !! :) You get temporary access to the lab used in the training for an additional month once the training has ended, which should give some time to go over the content once again and practice. The slides for the training have become one of my new cheat-sheet when performing Red Teaming, so I regularly go back to it."
Quentin, 44CON 2017

"The lab environment was awesome."
x33fcon, 2017

"That was enlightening."
CanSecWest, 2017

"A lot of interesting tricks and techniques from real-world experience."
BruCON, 2016

"Learned a lot new things about the possibilities with powershell."
BruCON, 2016

"The best part was Hands-On and instructors answering all questions."
BruCON, 2016

"Very experienced trainer with deep knowledge on Powershell Pen Testing."
Teo, DeepSec, 2015

"Amazed by what PowerShell can be used for."
Mason, Shakacon, 2015

"Have used his tool Nishang to bypass AV. What a knowledgeable lad. Loved the class."
Shakacon, 2015

"Attended his workshop last year too. New content and more hands-on."
Troopers, 2014

"Amazed that Microsoft provides such a good tool for attackers in Windows. Loved the pentest part. The defense part was also fairly covered."
Private training, 2013

"Highly recommended if you want to sharpen your pentest skills."
Troopers, 2013

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.