WINDOWS SECURITY AUTOMATION MEANS POWERSHELL In this course you will learn how to: • Write PowerShell scripts for Windows and Active Directory security automation • Safely run PowerShell scripts on thousands of hosts over the network • Defend against PowerShell malware such as ransomware • Harden Windows Server and Windows 10 against skilled attackers In particular, we will use PowerShell to secure Windows against many of the attacks described in the MITRE ATT&CK matrix, especially stolen administrative credentials, ransomware, hacker lateral movement inside the LAN, and insecure Windows protocols, like RDP and SMB. You will leave this course ready to start writing your own PowerShell scripts to help secure your Windows environment. It’s easy to find Windows security checklists, but how do you automate those changes across thousands of machines? How do you safely run scripts on many remote boxes? In this course you will learn not just Windows and Active Directory security, but how to manage security using PowerShell. DON’T JUST LEARN POWERSHELL SYNTAX, LEARN HOW TO LEVERAGE POWERSHELL AS A FORCE MULTIPLIER FOR WINDOWS SECURITY There is another reason why PowerShell has become popular: PowerShell is just plain fun! You will be surprised at how much you can accomplish with PowerShell in a short period of time – it’s much more than just a scripting language, and you don’t have to be a coding guru to get going. Learning PowerShell is also useful for another kind of security: job security. Employers are looking for IT people with PowerShell skills. You don’t have to know any PowerShell to attend this course, we will learn it together during the labs. You can learn basic PowerShell syntax on YouTube for free, but this course goes far beyond syntax. In this course we will learn how to use PowerShell as a platform for managing security, as a “force multiplier” for the Blue Team, and as a rocket booster for your Windows IT career. WE WILL WRITE A POWERSHELL RANSOMWARE SCRIPT AND DEFEND AGAINST IT Unfortunately, PowerShell is being abused by hackers and malware authors, so in the last section of the course, we will write our own ransomware script to see how to defend against scripts like it. This is a fun course and a real eye-opener, even for Windows administrators with years of experience. Come have fun learning PowerShell and Windows security at the same time. The course author, Jason Fossen, is a SANS Institute Fellow and has been writing and teaching for SANS since 1998. In fact, SEC505 has had at least one day of PowerShell for more than 10 years, and now PowerShell is the centerpiece of the course. You Will Be Able To • Write PowerShell scripts for security automation • Execute PowerShell scripts on remote systems • Harden PowerShell itself against abuse, and enable transcription logging for your SIEM • Use PowerShell to access the WMI service for remote command execution, searching event logs, reconnaissance, and more • Use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds (assume breach) • Block the lateral movement of hackers and ransomware using Windows Firewall, IPsec, DNS sinkholes, admin credential protections, and more • Prevent exploitation using AppLocker and other Windows OS hardening techniques in a scalable way with PowerShell • Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root • Configure mitigations against pass-the- hash attacks, Kerberos Golden Tickets, Remote Desktop Protocol (RDP) man-in- the-middle attacks, Security Access Token abuse, and other attacks discussed in SEC504 and other SANS hacking courses • Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certificate Authentications (CAs) • Harden essential protocols against exploitation, such as SSL, RDP, DNS, PowerShell Remoting, and SMB 6 Day Program 36 CPEs Laptop Required “ In SEC505, real-life solutions are offered by someone who understands the roadblocks in the way. This is information I could implement tomorrow and make my network more secure.” — Mary Becken, Egan Company • Watch a preview of this course • Discover how to take this course: Online, In-Person sans.org/sec505 SEC505: Securing Windows and PowerShell Automation GCWN Windows Security Administrator giac.org/gcwn
