PowerShell Security – Red vs. Blue Team

PowerShell Security - Red vs. Blue Team

Main Speaker:


Yossi Sassi

Tracks:

After Event Workshops
cyber
Data

Seminar Categories:

After Event Cyber
After Event Workshops
BI & ML
Cyber
Cyber

Course ID:

43747

Date:

13.07.2020

Time:

Daily seminar
9:00-16:30

43747

Overview

With great Power(shell) comes great responsibility.

Did you know that as a Blue Teamer with GOOD understanding of PowerShell it can be a very bad tool of choice for an attacker,

yet without proper knowledge & experience you are easily bypassed, in memory without touching the disk, “living off the land”?

The bad guys are already using PowerShell extensively. are you prepared?

Coming from 10+ years with Powershell and consulting PS Security at 4 continents, you will get a world-class hands on experience on the subject.

 

What we will learn & focus on:

  •  Intro: Understanding the attacker mindset & attack anatomy
  •  Why Malware wins, along with TTPs –  techniques, tools & practices.
  •  network  scanning  and  reconnaissance, along with various Lateral movement options
  •  Active Directory & Kerberos Attacks
  •  Living off the land – concepts & tools
  •  PowerShell as post-exploitation tool – Red vs. Blue team

Who Should Attend

IT, DEvOps, Security

Prerequisites

  • Understanding & working with tcp/ip protocols (dns, http, arp, icmp, rpc, SMB etc)
  • Experience Installing and Configuring Windows Clients & Windows Servers into existing enterprise environments, or as standalone installations.
  • Previous knowledge of Programming and/or Scripting cmd line

Course Contents

  • The h@כk3r mindset, Cyber Kill Chain – Red vs. Blue
  • InfoSec Myths vs. Reality – passwords, processes, Command & Control
  • PowerShell & the Windows API barrow – backward compatibility
  • Living off the land concept continued: PowerShell code execution as an example, system.management.automation
  • PowerShell logging & auditing techniques – best practices & BYPASS how to cover tracks – e.g. PowerShell with CMS
  • DPAPI & secureStrings
  • Obfuscations – string manipulations, Base64 and more.
  • Winrm: CIM & PSRemotinhg – Architecture & how-to
  • Role-Based Access Control with “Just Enough Administration” – Secure constrained delegated EndPoint with PSSessions
  • Hacking AD “living off the land” with built-in APIs & protocols
  • Reconnaissance, mapping assets, hunting admins
  • Domain priv escalations: getting hashes, relay/redirect, offline cracking
  • Exploring different frameworks & tools (e.g. SharpUp, PowerSpolit, PowerUp, PowerView etc)


DevGeekWeek 2020





By entering your email address, you agree that John Bryce training will use it for marketing purposes, emails and newsletter, as well as promotional offers and announcements, according to John Bryce training & Matrix group privacy policy. Your data will be saved in our computerized database, number 700019285. You can unsubscribe at any time by mailing infomail@johnbryce.co.il or by calling 03-7100777.

Contact

DevGeekWeek 2020





By entering your email address, you agree that John Bryce training will use it for marketing purposes, emails and newsletter, as well as promotional offers and announcements, according to John Bryce training & Matrix group privacy policy. Your data will be saved in our computerized database, number 700019285. You can unsubscribe at any time by mailing infomail@johnbryce.co.il or by calling 03-7100777.

Skip to content