Course 9:Implementing PowerShell Security Best Practice 2019
What you’ll learn
- Windows PowerShell security view
- Use Windows PowerShell and PowerShell Core to secure the network
- Manage execution of local PowerShell scripts
- Manage remote execution of Windows PowerShell
- Manage remote execution of PowerShell Core
- Describe security implications of using Constrained Language Mode
- Describe the architecture and components of Windows PowerShell DSC
- Recommend Windows PowerShell auditing and logging configuration
- Provide examples of Windows PowerShell-based attacks
- Use Windows PowerShell-based security tools
- Provide an overview of Windows PowerShell-based security-related technologies
- Implement Windows PowerShell logging by using Desired State Configuration (DSC)
- Identify and mitigate Windows PowerShell-based exploits
- Implement Just Enough Administration (JEA)
Requirements
- A good foundation in accessing and using simple Windows PowerShell commands
- Experience with Windows Client and Server administration, maintenance, and troubleshooting
- Basic experience and understanding of Windows networking technologies, to include Windows Firewall network setting, DNS, DHCP, WiFi, and cloud services concepts.
- Basic experience and understanding of Active Directory, including functions of a domain controller, sign on services, and an understanding of group policy
- Knowledge of and relevant experience in systems administration, using Windows 10
- Attendance of Courses 6 and 8 in this series is highly desired
Description
Course Description
The primary objective of Windows PowerShell was to help IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
To take advantage of the benefits that Windows PowerShell has to offer, while at the same time, minimise security-related risks, it is essential to understand the primary aspects of Windows PowerShell operational security. Another aspect that is critical to consider in the context of this course is the role of Windows PowerShell in security exploits.
You will then explore the most common Windows PowerShell-based techniques employed by hackers in order to leverage existing access to a Windows operating system to facilitate installation of malicious software, carry out reconnaissance tasks, establish its persistence on the target computer, and promote lateral movement. You will also review some of Windows PowerShell-based security tools that facilitate penetration testing, forensics, and reverse engineering of Windows PowerShell exploits. To conclude the course, you will provide a summary of technologies recommended by the Blue Team that are geared towards implementing comprehensive, defense-in-depth security against Windows PowerShell-based attacks.
Course Outline
Module 1, “PowerShell Fundamentals”, In this module, you will learn about PowerShell fundamentals, including its architectural design, its editions and versions, and basics of interacting with PowerShell, you will learn in practical the difference between FullCLR and CoreCLR, how to install PowerShell core on Windows, Linux and MAC, and how to deal with PowerShell profiles.
Module 2, “PowerShell Operational Security”, In this module, you will learn about enhancing operating system security by leveraging built-in Windows PowerShell features and technologies that are part of the Windows PowerShell operational environment.
In practical side of this module you will learn to deal with below:
1. Upgrade execution policy level to increase security level in your network.
2. Deal with code signing certificate.
3. Authenticate script file with authorized certificate.
Module 3, “Implementing PowerShell-based Security”, The purpose of this module is to present the most common and effective methods of leveraging Windows PowerShell to enhance operating system security. These methods include:
- Protecting from unintended configuration changes by relying on PowerShell Desired State Configuration (DSC)
- Implementing the principle of least privilege in remote administration scenarios by using Just Enough Administration (JEA)
- Tracking and auditing events that might indicate exploit attempts by using Windows PowerShell logging.
Module 4, “Windows PowerShell-based Exploits and their Mitigation “, In this module, we will first approach the Windows PowerShell-based security from the Red Team’s perspective. We will explore the most common Windows PowerShell-based techniques employed by hackers in order to leverage existing access to a Windows operating system to facilitate installation of malicious software, carry out reconnaissance tasks, establish its persistence on the target computer, and promote lateral movement. We will also review some of Windows PowerShell-based security tools that facilitate penetration testing, forensics, and reverse engineering of Windows PowerShell exploits. To conclude the module and the course, we will provide a summary of technologies recommended by the Blue Team that are geared towards implementing comprehensive, defense-in-depth security against Windows PowerShell-based attacks.
Module 5, “Network & Firewall”, In this practical module, you will learn how to write ports scanner script, test network servers, and use 4 different methods to secure ports using firewall.
Module 6, “Domain inventory”, In this practical module, you will learn how to detect suspected profile in any domain PCs, deploy your code for profile detection, write other inventory codes to create reports of AD groups, users, GPOs ..etc, write script to manage registry key and values .
Module 7, “Domain shares”, In this module, you will learn how to deal with network shares, you will write a script to manage following scenarios:
- Domain servers shares
- Shared Directory security info
- Network shares
By end of this course you have necessary skills to enroll into course 10: Hack windows Server 2019 using PowerShell & WMI, and you will be able to write the main tool script with 3500+ code lines in that course.
