Visão Geral

Curso Securing Windows and PowerShell Automation. Quer bloquear ataques do Windows, frustrar o movimento lateral de hackers dentro da sua LAN e evitar roubo de credenciais administrativas? E você quer se divertir aprendendo scripts do PowerShell ao mesmo tempo? Então o Curso Securing Windows and PowerShell Automation é o curso para você! No curso, você aprenderá como usar o PowerShell para automatizar a segurança do Windows e fortalecer o próprio PowerShell. Nenhuma experiência anterior em scripts do PowerShell é necessária para fazer o curso porque você aprenderá o PowerShell ao longo do caminho. Nós até escreveremos um script de ransomware do PowerShell juntos em um laboratório para implementar melhores defesas contra ransomware.

Objetivo

Após realizar este Curso Securing Windows and PowerShell Automation, você será capaz de:

• Escreva scripts do PowerShell para automação de segurança.
• Execute scripts do PowerShell em sistemas remotos com SSH ou SSL/TLS.
• Proteja o próprio PowerShell contra abusos.
• Habilite o registro de transcrição do PowerShell para seu SIEM.
• Use o PowerShell para acessar o serviço WMI para execução remota de comandos, pesquisa de logs de eventos, reconhecimento e muito mais.
• Use a Política de Grupo e o PowerShell para conceder privilégios administrativos de forma a reduzir os danos caso um ataque seja bem-sucedido (suponha uma violação).
• Bloqueie o movimento lateral de hackers e ransomware usando o Firewall do Windows.
• Configure o PowerShell Remoting para usar as políticas Just Enough Admin (JEA) para criar uma versão Windows do Linux sudo e setuid root.
• Configure mitigações contra ataques pass-the-hash, Kerberos Golden Tickets, ataques man-in-the-middle do Remote Desktop Protocol (RDP), abuso do Security Access Token e outros ataques discutidos no SEC504 e em outros cursos de hacking SANS.
• Instale e gerencie uma infraestrutura de chave pública (PKI) completa do Windows, incluindo cartões inteligentes, registro automático de certificados, respondedores da Web do Protocolo de status de certificado online (OCSP) e detecção de autenticações de certificado raiz (CAs) falsificadas.
• Fortaleça protocolos essenciais contra exploração, como TLS, RDP, DNS, PowerShell Remoting e SMB.

• Mais de 200 scripts do PowerShell escritos pelo autor do curso, além de modelos de segurança e outras ferramentas usadas nos laboratórios.
• Livros didáticos impressos com toneladas de notas já nos manuais (em geral, os participantes do SEC505 raramente precisam fazer anotações manuscritas durante o seminário, as notas já estão no material didático).
• Cópias eletrônicas do material didático que podem ser pesquisadas.
• Gravações de áudio de todo o curso que você pode baixar e manter.

Publico Alvo

• Qualquer pessoa que queira aprender automação do PowerShell
• Defensores de rede, especialmente em ambientes GOV ou MIL
• Administradores de endpoint e servidor do Windows
• Curso Securing Windows and PowerShell Automation é para pessoas de "Ops" em SecOps/DevOps
• Qualquer pessoa que implemente os controles de segurança críticos do CIS
• Qualquer pessoa que esteja implementando as mitigações do MITRE ATT&CK

Pre-Requisitos

• Uma familiaridade geral com os conceitos básicos do Windows Server e do Active Directory.
• Confortável ao abrir um shell de comando e executar comandos.
• Capaz de criar uma máquina virtual usando VMware, VirtualBox ou similar.
• Não é necessária experiência anterior em scripts do PowerShell.

Materiais

Conteúdo Programatico

Learn PowerShell Scripting for Security

PowerShell Is Dangerous (and Fun)

1. The backbone of Windows and Azure automation
2. Piping .NET and COM objects, not text
3. Graphical admin tools wrapped around PowerShell
4. Built-in remote script execution

Writing Your Own Scripts, Functions, and Modules

1. Passing arguments into your scripts
2. Cmdlets, functions, and aliases in your profile script
3. Flow control: if-then, do-while, foreach, switch
4. The .NET Framework class library: a vast playground
5. How to pipe data in/out of your scripts
6. How to create your own module script

Up and Running Quickly with PowerShell

1. Capturing the output of commands
2. Parsing text files and logs with regex patterns
3. Mounting the registry as a drive
4. Importing third-party modules and functions
5. https://www.PowerShellGallery.com

Piping Objects Instead of Text

1. Classes, objects, properties, and methods
2. An array of objects is like a table of SQL records
3. Extracting just the properties you want
4. Exporting objects to CSV, HTML, XML, and JSON files
5. Filtering, sorting, and grouping objects (not text)

You Don't Know THE POWER!

PowerShell Remoting

1. Get a remote command shell with PowerShell
2. Smart card and YubiKey authentication
3. Using SSL/TLS or SSH to encrypt traffic
4. Remote command execution in scheduled tasks
5. File upload and download using the PowerShell Remoting protocol
6. Graphical apps can use PowerShell remoting too

OpenSSH on Windows

1. Windows can be an SSH server? Yes!
2. OpenSSH support is now built into Windows
3. PowerShell Core integration with SSH
4. Hardening SSH for Internet use
5. Kerberos and public key authentication for SSH

PowerShell Just Enough Admin (JEA)

1. JEA is like setuid root on Linux
2. Restricting PowerShell commands and arguments
3. Verbose transcription logging of commands
4. How to set up and configure JEA
5. JEA for Privileged Access Workstations (PAWs)

PowerShell, Group Policy, and the Task Scheduler

1. Deploying PowerShell startup and logon scripts
2. Group Policy scheduled tasks to run PowerShell scripts
3. The Task Scheduler service and admin credentials
4. WMI item-level targeting of PowerShell scripts

PowerShell for WMI and Active Directory

PowerShell Baselines with WMI

1. What is WMI and why do hackers abuse it so much?
2. Remote command execution through WMI
3. Using PowerShell to query WMI namespaces and classes
4. WMI service authentication and traffic encryption
5. Gathering Reconnaissance data from remote systems
6. Microsoft Windows Admin Center (WAC) web application
7. WMI logging for hacker and malware visibility

PowerShell for Active Directory

1. Querying and managing Active Directory with PowerShell
2. Enforcing desired Domain Admins group membership
3. Disabling abandoned user accounts and resetting passwords
4. Detecting password brute-force attacks
5. Searching organizational units using filter criteria
6. ADSI Edit and other helper tools for PowerShell
7. Active Directory Administrative Center (ADAC)

Active Directory Permissions and Auditing

1. Active Directory objects have permissions
2. Active Directory objects have auditing
3. Limit what PowerShell scripts can do in Active Directory
4. Log what PowerShell scripts are doing in Active Directory
5. Delegate authority at the OU level instead
6. Designing Active Directory for the inevitable breach

Hardening Network Services with PowerShell

Server Hardening Automation for DevOps

1. Replacing Server Manager with PowerShell
2. Windows Admin Center (WAC) web application
3. Adding and removing roles and features
4. Remotely gathering an inventory of roles and features
5. Why use Server Nano or Server Core?
6. Running PowerShell automatically after service failure
7. Service account identities, passwords, and risks
8. Tools to reset service account passwords securely

Windows Firewall Scripting

1. PowerShell management of Windows Firewall rules
2. Blocking malware outbound connections
3. Role-based access control for listening ports
4. Deep IPsec integration for user authentication
5. Firewall logging to the event logs, not to text logs

Share Permissions for TCP/UDP Listening Ports with IPsec

1. PowerShell management of IPsec rules
2. IPsec for blocking post-exploitation lateral movement
3. Limiting access to ports based on global group membership
4. IPsec-based encrypted VLANs
5. IPsec is not just for VPNs!

Certificates and Multifactor Authentication

Certificate Authentication and TLS Encryption for PowerShell

1. Certificates for smart card authentication of PowerShell remoting
2. Certificates for TLS encryption of PowerShell remoting
3. Certificates to sign PowerShell scripts for AppLocker
4. Certificates for TLS encryption of WMI queries with PowerShell
5. Certificates for web servers, domain controllers, and everything else

Install a Windows Certificate Server with PowerShell

1. PowerShell installation script for Public Key Infrastructure (PKI)
2. Managing digital certificates with PowerShell
3. Custom certificate templates in Active Directory
4. Controlling certificate auto-enrollment
5. Setting up an Online Certificate Status Protocol (OCSP) responder web farm
6. Configuring Certificate Revocation List (CRL) publication

Deploying Smart Cards, Smart Tokens, and TPM Virtual Smart Cards

1. The gold standard for multi-factor authentication is a smart card/token
2. YubiKey smart tokens for logon, PowerShell remoting, and much more
3. Trusted Platform Module (TPM) virtual smart cards
4. Safely enroll tokens and cards on behalf of other users
5. How to revoke compromised certificates
6. PowerShell script to audit trusted root CAs
7. PowerShell script to delete hacker certificates

Security Best Practices

1. Privilege escalation to Domain Admin through bad PKI
2. Protect the private keys of your certificates from malware
3. How to use PKI smart cards and smart tokens
4. How to encrypt private keys on the hard drive
5. Hardware Security Module (HSM) for CAs
6. How to digitally sign PowerShell scripts
7. SSL is dead, long live TLS
8. TLS cipher suite optimization

Capstone: PowerShell Security, Ransomware & DevOps

PowerShell Ransomware

1. We will write a PowerShell ransomware script in a lab
2. What can be done to combat ransomware?
3. Just having backups is not enough

Anti-Exploitation Defenses for PowerShell

1. AppLocker for PowerShell
2. Scripting AppLocker with PowerShell
3. PowerShell execution policy
4. PowerShell constrained language mode
5. Anti-Malware Scan Interface (AMSI)
6. Restricting network access to block pivoting
7. Hashing scripts for change detection
8. How to digitally sign our PowerShell scripts
9. The Principle of (Endpoint) Least Privilege
10. Prevent Domain Admin credential theft at all costs!
11. Windows 10 Credential Guard
12. User Account Control (UAC) instead of RUNAS.EXE

PowerShell Visibility and Detection

1. PowerShell transcription logging
2. WMI namespace auditing
3. Windows Event Log audit policies
4. Querying Windows Event Logs with PowerShell

DevOps Automation with PowerShell

1. Putting it all together with PowerShell
2. How to write an all-in-one build script with OS hardening
3. PowerShell for roles, features, networking, policies, etc.
4. The future of IT administration is automation
5. We will all need to be "full stack engineers" soon