This past week I attended the SpecterOps Adversary Tactics: PowerShell Class. I’ve been wanting to take this course since it was announced by SpecterOps. If you’re not familiar with my blog, I wrote about Matt Graeber’s Derbycon keynote this past fall and have been a fan boy of Matt since then. I found his keynote very inspiring and wanted to push myself to learn/grow enough to start discovering my own Device Guard and PowerShell Constrained Language Mode bypasses. In addition to that, Windows Defender with AMSI has been giving me issues while developing the new version of GreatSCT, and I wanted to learn a methodology in order to consistently bypass AMSI. While this course only applied to AMSI powershell bypasses, the methodology taught in the class can be applied to other situations where AMSI is detecting your tradecraft. I came to the course with an open mind and threw out all assumptions I had made about PowerShell. Anyway, I wanted to give a little background information on why I personally decided to take this class.
SpecterOps Adversary Tactics: PowerShell Class
The official course description can be seen below.
Automation is necessary to be efficient and successful in security for both offensive and defensive teams. Furthermore, with the rapid pace of migration to cloud infrastructure, the need to interact with infrastructure through automation is more important than ever. PowerShell is the language and shell that drives automation across the Windows and Azure ecosystem. Sitting on top of the massive .NET class library, there is very little that can not be done in PowerShell. Today, PowerShell is relied upon by red teams, threat hunters, incident responders, penetration testers, criminals, and nation-state adversaries alike. Before robust detection capabilities were widely deployed, PowerShell was also the tool of choice for attackers to evade detection. Between the modern security features offered and the fact that most AV/EDR solutions have a PowerShell prevention/detection component, it is imperative that both red teamers and blue teamers understand the defensive landscape when building and using tools within the language.
This class is designed to teach students already comfortable with the basics of PowerShell to take full advantage of the unique benefits it offers security professionals. Since the introduction of version 5, the security optics and preventative controls of PowerShell are unparalleled. Students will learn how to configure, audit, monitor, and bypass every preventative and detective control that PowerShell has to offer. By the end of the class, students will walk away with a profound appreciation of PowerShell’s capabilities, strong security enforcement and optics, as well as the extent of its unique, post-exploitation attack surface. Additionally, students will become even more comfortable using PowerShell and identifying when it’s the right tool for the job and when it’s not.
Defenders must know the reality of how attackers subvert security controls, and mature offensive security testers must know the defensive landscape in which they must tread carefully. This class will serve as a deep dive into PowerShell security capabilities. Every topic presented in class will follow the theme of “for every action, there is an equal an opposite reaction” whereby mitigations, detections, and bypasses will be discussed for nearly every topic covered.
Topics covered include:
- OPSEC-aware PowerShell tradecraft principals
- PowerShell Remoting
- Execution of PowerShell in non-traditional host processes
- Configuration, auditing, analysis, and evasion of preventative and detective security controls including PSv5 logging, constrained language mode, and AMSI
- Windows Management Instrumentation and Active Directory deep dives
- Low-level, Win32 interop and .NET internals for host artifact evasion and stealth
- Code injection discovery, exploitation, and prevention
- PowerShell Basics Refresher
- PowerShell Remoting
- PowerShell Without PowerShell
- 3rd party, alternate PowerShell hosts
- Supported Microsoft PowerShell hosts
- Unintended Microsoft PowerShell hosts
- Command-line logging evasion
- Windows Management Instrumentation (WMI)
- Interacting with WMI
- Querying WMI and discovery
- Active Directory
- Interacting with Active Directory
- LDAP search filters
- Active Directory ACLs
- Command and control
- PowerView “PowerUsage”
- PowerShell Prevention – Implementation, Auditing, and Bypasses
- Constrained Language Mode
- Just Enough Administration (JEA)
- Downgrade attack mitigation
- Anti-malware Scan Interface (AMSI)
- Exploiting code injection vulnerabilities
- Code signing and trust enforcement
- PowerShell Detection – Implementation, Auditing, and Bypasses
- Classic and modern event logs
- Event Tracing for Windows (ETW)
- Internal .NET member access/invocation
- In-memory .NET assembly loading
- Add-Type internals, host footprint, and evasion strategies
- Dynamic code generation
- Low-level, Win32 Interop
- P/Invoke and Win32 API basics
- Borrowing internal methods
Students are expected to have the following:
- A basic level of comfort/familiarity with PowerShell. A strong developer background is not required.
- The ability to connect to the internet and connect to a VM over RDP (and optionally, PowerShell remoting – port 5985)
- A Windows 10 VM (preferably Windows 10 Enterprise for the Device Guard lab).
- A willingness to learn and to get your hands dirty in intensive labs!
Participants will need to bring a laptop with:
- 8GBs of RAM
- Ability to run a virtual machine (VMWare Player, Workstation, Fusion)
- Four day training
- All day beverages and snacks
- Daily lunch
- Wednesday night happy hour with the instructors
I honestly did not prepare much for this course other than making sure I had the ability run a virtual machine and setup a brand new Windows 10 Enterprise VM.
- Download Windows 10 Enterprise
- Install Windows 10 Enterprise in a VM
I’m going to attempt to do an unbiased review of the SpecterOps PowerShell training course and be as transparent as I can in the process. Keep in mind, I’m trying not to reveal any of the proprietary aspects to the class. Let’s dive right in with my experience on Day 1 of the class. I arrived at the designated training location around 8:55 AM and was greeted by the SpecterOps crew. I don’t have a picture of what it looked like when I arrived, however, you can see a picture of the schwag given to each student in the picture below.
After grabbing coffee and settling in, I copied the course materials from the USB drive provided to us. The instructors introduced themselves and began teaching the material. Day one started with teaching the basics of powershell and ended with reverse engineering runscripthelper.exe to learn a methodology on how to approach discovering these types of bypasses. This is the recurring theme within the course, to teach the student a methodology to approach (ab)using powershell in their information security role. While it may seem like an attack focused class on the surface, there are offensive and defensive labs. The class also continually builds on itself. If you miss thirty minutes for a client call on day three or four, you might come back feeling lost. I could say a lot about this class, however, I’m going to focus on the highlights of the course for me.
- Collaborating with the instructors during live demonstrations.
- Their live demos are based on student feedback. For example, on Day 4 while learning the methodology to discover powershell constrained language mode bypasses the instructors investigated aspects based on student suggestion. The instructors were operating in scenarios they had never dealt with before and showed how to apply the methodology.
- Learning a methodology to bypass AMSI
- Before this class, I was shooting in the dark to bypass all the things when AMSI is implemented. Now I have a solid methodology to approach this.
- PowerShell Reflection
- I didn’t understand PowerShell reflection before this class and they cleared up a lot of misconceptions as well as assumptions I had.
- Hunting for PowerShell constrained language mode and Device Guard bypasses
- This has taken up a lot of my time since the course, and I never thought I would be able to do it. I haven’t been able to successfully weaponize any of the potential powershell constrained language mode bypasses yet, however, I am now capable of identifying them.
It’s going to take time to reflect and digest all the material from this course, persistence is key.
If you’re on the fence for taking this course, I would highly recommend taking it. I walked away from the course feeling like I knew nothing like Jon Snow from Game of Thrones, yet, at the same time I had a methodology to approach some of the challenges overwhelming me recently. Hands down, this is the best security training class I have ever taken!