About the course
Certification: GCWN GIAC Certified Windows Security Administrator
Want to block Windows attacks, thwart the lateral movement of hackers inside your LAN, and prevent administrative credential theft? And you want to have fun learning PowerShell scripting at the same time? Then SEC505 is the course for you! In SEC505 you will learn how to use PowerShell to automate Windows security and harden PowerShell itself. No prior PowerShell scripting experience is required to take the course because you will learn PowerShell along the way. We will even write a PowerShell ransomware script together in a lab in order to implement better ransomware defences. The course author, Jason Fossen, is a Faculty Fellow who has taught defensible PowerShell at SANS for more than a decade. Jason gives away his PowerShell security scripts for free at https://BlueTeamPowerShell.com.
What You Will Learn
WINDOWS SECURITY AUTOMATION MEANS POWERSHELL
In this course (SEC505) you will learn how to:
- Write PowerShell scripts for Windows and Active Directory security automation
- Safely run PowerShell scripts on thousands of hosts over the network
- Defend against PowerShell malware such as ransomware
- Harden Windows Server and Windows 10 against skilled attackers
In particular, we will use PowerShell to secure Windows against many of the attacks described in the MITRE ATT&CK matrix, especially stolen administrative credentials, ransomware, hacker lateral movement inside the LAN, and insecure Windows protocols, like RDP and SMB.
You will leave this course ready to start writing your own PowerShell scripts to help secure your Windows environment. It's easy to find Windows security checklists, but how do you automate those changes across thousands of machines? How do you safely run scripts on many remote boxes? In this course you will learn not just Windows and Active Directory security, but how to manage security using PowerShell.
DON'T JUST LEARN POWERSHELL SYNTAX, LEARN HOW TO LEVERAGE POWERSHELL AS A FORCE MULTIPLIER FOR WINDOWS SECURITY
There is another reason why PowerShell has become popular: PowerShell is just plain fun! You will be surprised at how much you can accomplish with PowerShell in a short period of time - it's much more than just a scripting language, and you don't have to be a coding guru to get going.
Learning PowerShell is also useful for another kind of security: job security. Employers are looking for IT people with PowerShell skills. You don't have to know any PowerShell to attend this course, we will learn it together during the labs.
You can learn basic PowerShell syntax on YouTube for free, but this week goes far beyond syntax. In this course we will learn how to use PowerShell as a platform for managing security, as a "force multiplier" for the Blue Team, and as a rocket booster for your Windows IT career.
WE WILL WRITE A POWERSHELL RANSOMWARE SCRIPT AND DEFEND AGAINST IT
Unfortunately, PowerShell is being abused by hackers and malware authors. On the last day of the course, we will write our own ransomware script to see how to defend against scripts like it.
This is a fun course and a real eye-opener, even for Windows administrators with years of experience. Come have fun learning PowerShell and Windows security at the same time.
The course author, Jason Fossen, is a SANS Institute Fellow and has been writing and teaching for SANS since 1998. In fact, this course (SEC505) has had at least one day of PowerShell for more than ten years, and now PowerShell is the centerpiece of the course.
PowerShell scripting of Windows Management Instrumentation (WMI)
PowerShell remote command execution
PowerShell Core with OpenSSH
PowerShell Just Enough Admin (JEA)
PowerShell scripting of Active Directory
PowerShell scripts to replace Microsoft LAPS
PowerShell certificate authentication, such as with YubiKeys
PowerShell hardening of TLS, RDP and SMB
PowerShell malware and lateral movement inside the LAN
PowerShell ransomware - too easy, all too easy
You Will Be Able To
Write PowerShell scripts for security automation.
Execute PowerShell scripts on remote systems.
Harden PowerShell itself against abuse, and enable transcription logging for your SIEM.
Use PowerShell to access the WMI service for remote command execution, searching event logs, reconnaissance, and more.
Use Group Policy and PowerShell to grant administrative privileges in a way that reduces the harm if an attack succeeds (assume breach).
Block the lateral movement of hackers and ransomware using Windows Firewall, IPsec, DNS sinkholes, admin credential protections, and more.
Prevent exploitation using AppLocker and other Windows OS hardening techniques in a scalable way with PowerShell.
Configure PowerShell remoting to use Just Enough Admin (JEA) policies to create a Windows version of Linux sudo and setuid root.
Configure mitigations against pass-the-hash attacks, Kerberos Golden Tickets, Remote Desktop Protocol (RDP) man-in-the-middle attacks, Security Access Token abuse, and other attacks discussed in SEC504 and other SANS hacking courses.
Install and manage a full Windows Public Key Infrastructure (PKI), including smart cards, certificate auto-enrollment, Online Certificate Status Protocol (OCSP) web responders, and detection of spoofed root Certificate Authentications (CAs).
Harden essential protocols against exploitation, such as SSL, RDP, DNS, PowerShell Remoting, and SMB.
What You Will Receive
A Digital Download Package with over 200 PowerShell scripts written by the course author, plus security templates and other tools used in the labs. The scripts are in the public domain and can be downloaded from https://BlueTeamPowerShell.com.
Electronic Courseware that is much more than just slides with some sparse notes. The courseware is written as textbooks with screenshots, lab exercises, and more. In general, SEC505 attendees rarely need to take hand-written notes during seminar, the notes are already in the courseware.
When bundled with the GCWN certification exam, audio recordings of the entire course that you can take with you when the course is over.
Syllabus (36 CPEs)
SEC505.1: Learn PowerShell Scripting for Security
SEC505.2: You Don't Know the POWER!
SEC505.3: WMI and Active Directory Scripting
SEC505.4: Hardening Network Services with PowerShell
SEC505.5: Certificates and Multifactor Authentication
SEC505.6: PowerShell Security, Ransomware, and DevOps
GIAC Certified Windows Security Administrator
The GIAC Certified Windows System Administrator (GCWN) certification validates a practitioner's ability to secure Microsoft Windows clients and servers. GCWN certification holders have the knowledge and skills needed to configure and manage the security of Microsoft operating systems and applications, including: PKI, IPSec, Group Policy, AppLocker, DNSSEC, PowerShell, and hardening Windows against malware and persistent adversaries.
Operating system and application hardening
Restricting administrative compromise
A general familiarity with Windows Server and Active Directory concepts is presumed, but you do not have to be an expert.
You should be comfortable opening a command shell and running scripts with arguments.
Prior PowerShell scripting experience is not required. We will learn the essentials of PowerShell coding together.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Please bring the following items with you when you attend SEC505:
Laptop with 8GB or more of memory, a USB port, with any operating system you prefer.
You may use any locally-installed virtualization software you prefer, such as Oracle VirtualBox or VMware, and then create your Windows Server VM before the first day of class. Do not run create a VM on a remote virtualization server or in the cloud.
Download the free, evaluation version of Windows Server 2019 from Microsoft. This ISO file is free and does not require a license number. Just click on site:microsoft.com windows server trial eval to find the ISO download on Microsoft's website.
Please install a Virtual Machine (VM) running the free evaluation version of Windows Server 2019. When you install the Windows Server VM, choose the option for "Windows Server 2019 Datacenter Evaluation (Desktop Experience)." No other special OS configuration is required; just accept all the defaults during installation. If you have any setup questions, please contact SANS at email@example.com for friendly help.
Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Do not apply patches or updates to the Windows Server VM.
Please install your Windows Server VM before you arrive, not on the morning of the training. This will ensure that there are no firmware issues or other problems with creating VMs.
Please don't let your IT department spoil your training experience by giving you a "loaner laptop" that is too slow or locked down. You must have administrative privileges on the laptop, be able to create two virtual machines, and be allowed to copy files from a USB flash drive.