The course covers advanced techniques in the use of PowerShell and MS Windows components in pentest phases, starting from the basic concepts, such as "Living Off the Land" commands and recon techniques, to advanced ones, such as exploration, obfuscation, exfiltration, C2, adversary emulation and others.
What skills will you gain?
- Understand models and frameworks such as Cyber Kill Chain and MITRE ATT&CK;
- Understand the phases of a cyber attack;
- Use native Windows system tools for offensive activities;
- Identify vulnerabilities in Windows systems;
- Use offensive tools for Exploitation activities on Windows systems;
- Perform Post-Exploitation activities;
- Hide Post-Exploitation activities using stealth techniques;
- Scaling privileges;
- Extract access credentials in memory;
- Perform lateral movement activities;
- Establish persistence mechanisms;
- Use C2 tools and establish a communication channel;
- Data Exfiltration from a system;
- Mapping the structure of Active Directory environments;
- Perform Active Directory attacks;
- Use adversary emulation tool.
Course general information:
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
Course launch date: September 30th, 2022
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
What will you need?
Students will use their own infrastructure and workstations (Windows, Linux or Mac OS) with the ability to run 02 to 03 Virtual Machines simultaneously.
- Minimum configuration of 8GB of RAM, 60 GB of free disk space, USB port and network card (RJ45 or wireless) for Internet access.
- Virtualization software that has the functionality to create snapshots such as VMWare or Oracle virtual box.
- During some offensive activities the Kali Linux distribution will be used, but the student can use any Linux OS.
What should you know before you join?
- Basic knowledge of Windows and Linux Operating Systems;
- Active directory basic structure, basic shell commands, network configuration, services and processes, management of local users;
- Basic knowledge of computer network and protocols;
- Familiarity with the Kali Linux distribution;
- Familiarity with virtual machine tools.
Graduated in Computer Engineering and cybersecurity master's degree with most of his 15 years of experience between Blue Team and Red Team. Leadership and management of information security departments in international companies.
Windows command line essentials and LOLBAS
Information and demos about "Windows CLI (command line interface)" and an introduction to "Living Off The Land".
Module 1 covered topics:
- Windows CLI, like systeminfo, netstat, tasklist, net user, net use, netsh, net localgroup, net session, sc, schtasks, certutil and others used in offensive activities;
- Recon and information gathering;
- Living Off The Land (LOTL) Attacks.
Module 1 exercises:
- Get information gathering without PowerShell.
Working with Cmdlets, running script commands, performing tasks such as restriction bypass, offensive parameters, cache, alias and others.
Module 2 covered topics:
- Basic offensive PowerShell commands;
- Working with Windows CLI and PowerShell scripts to collect important information about network and domain.
Module 2 exercises:
- Get information gathering with PowerShell.
Exploitation and Payloads
Metasploit, PowerSploit, Nishang and Windows PrivEsc.
Module 3 covered topics:
- Demonstration of using the tools used to compromise Windows operating systems, and the use of components, such as MSFVenom and other payloads;
- Demonstration of privilege elevation techniques; follina vulnerability (CVE-2022-30190) is one of the techniques that will be taught in this module.
Module 3 exercises:
Conducting Windows privilege escalation using Metasploit framework, non-Metasploit payloads, advanced techniques and tricks.
Learn post-exploitation penetration testing techniques, configuring tools that will enhance an attack on a target that has already been compromised.
Module 4 covered topics:
- Lateral Movement Techniques with exploitation of remote services;
- Privilege Escalation;
- Creating persistence and maintaining access and weaponization;
- Offensive techniques;
- Password dump;
- Obfuscation and Data Exfiltration;
- and clearing tracks and logs.
Module 4 exercises:
Perform attacks using Metasploit advanced features;
Obfuscation and encoding payloads;
- Dumping password hashes;
Port redirection and forwarding for pivoting and tunneling.
Active Directory Mapping
After that initial target has been compromised, the next step is gathering more information about the Active Directory structure that the asset is a part of.
Module 5 covered topics:
- Information mapping with specific active directory recognition scripts;
- Use of a graphical interface tool called Bloodhound.
Module 5 exercises:
- Installation and setup of Bloodhound to get information gathering from Active Directory.
Active Directory Attacks
An explanation of the golden and silver ticket, and Kerberos attacks.
Module 6 covered topics:
- Detailed and step-by-step demonstration of Active Directory attack techniques.
Module 6 exercises:
- Perform attacks to the AD environment like: Kerberos Attacks, Pass-the-Hash, golden and silver ticket.
Command and Control (C2) based on PowerShell
Installation and configuration of a Command and Control channel (C2) called Empire, and Convenant.
Module 7 covered topics:
- How to install and configure a command and control channel called Empire;
- The installation of your listeners;
- Sending remote commands and other post-exploitation modules.
Module 7 exercises:
- Installation and setup C2 of application to use in Windows environment.
Adversary Emulation and MITRE ATT&CK Framework
Installation and configuration of an adversary emulation tool that uses tactics, techniques and procedures (TTPs) from the MITRE ATT&CK framework.
Module 8 covered topics:
- Demonstration of an invasion simulation using an exploitable attack vector to identify the defense level of the target infrastructure, and visualizing the classification of the result according to the ATT&CK matrix.
Module 8 exercises:
- Installation and setup of CALDERA™ to identify the Tactics, Techniques, and Procedures (TTP) used by threat actors.