SEC586: Blue Team Operations: Defensive PowerShell

Provided by

Enquire about this course

About the course

Are you a Blue Teamer who has been asked to do more with less? Do you wish that you could detect and respond at the same pace as your adversaries who are breaking into and moving within the network? Blue Team Operations: Defensive PowerShell teaches deep automation and defensive capabilities using PowerShell. Come join us and learn how to automate everything from regular hardening and auditing tasks to advanced defences. This course will provide you with skills for near real-time detection and response and elevate your defences to the next level.

What You Will Learn
Effective Blue Teams work to harden infrastructure, minimize time to detection, and enable real-time response to keep pace with modern adversaries. Automation is a key component of these capabilities, and PowerShell can be the glue that facilitates orchestration across disparate systems and platforms, effectively making them a force multiplier for Blue Teams. This course will enable information security professionals to leverage PowerShell to build tooling that hardens systems, hunts for threats, and responds to attacks immediately upon discovery.

PowerShell is uniquely positioned to help Blue Teams because it acts as a cross-platform automation toolset that is built on top of the .NET framework, giving it nearly limitless extensibility. SEC586 maximizes the use of PowerShell using an approach specifically based on Blue Team use cases.

Students will learn:

  • PowerShell scripting fundamentals from the ground up in terms of PowerShell's capabilities as a defensive toolset
  • Ways to maximize performance of code across dozens, hundreds, or thousands of systems
  • Modern hardening techniques using Infrastructure-as-Code principles
  • How to integrate disparate systems for multi-platform orchestration
  • PowerShell-based detection techniques ranging from Event Tracing for Windows to baseline deviation and deception
  • Response techniques leveraging PowerShell-based automation

This course is meant to be accessible to beginners new to the PowerShell scripting language as well as to seasoned veterans looking to round out their skillset. Language fundamentals are covered in depth, with hands-on labs to help students become comfortable with the platform. For skilled PowerShell users who already know the basics, the material aims to solidify knowledge of the underlying mechanics while providing additional challenges to further this understanding.

The PowerPlay platform built into the lab environment allows for practical, hands-on drilling of concepts to ensure understanding, promote creativity and provide a challenging environment for anyone to build on their existing skillset. PowerPlay consists of challenges and questions that map back to the course material as well as extend it.

Between the course material and the PowerPlay bonus environment, SEC586 students will leave well equipped with the skills to automate everyday Cyber Defense tasks. Students will return to work ready to implement a new set of skills to harden their systems and accelerate capabilities to immediately detect threats and respond to them.

You Will Be Able To:

  • Write scripts and ad hoc PowerShell as needed to solve cybersecurity use cases
  • Read and expand existing tooling
  • Harden systems using PowerShell
  • Test for visibility gaps and misconfigurations in an automated fashion
  • Integrate disparate systems to enable orchestration across various platforms
  • Build advanced detections using PowerShell as the underlying platform
  • Automate response initiatives before an incident occurs, enabling rapid response

This Course Will Prepare You To:

  • Automate many common tasks to focus efforts on additional areas for improvement
  • Leverage a native, cross-platform technology to maximize protection
  • Enhance protection, detection, and response capabilities using PowerShell
  • Reduce time to detection and time to response when incidents do occur

You Will Receive With This Course:

A Windows virtual machine hosting the lab environment
Full walkthroughs of each lab within a wiki on the virtual machine
The PowerPlay question-and-answer guide for additional drilling of concepts

Syllabus (18 CPEs)
SEC586.1: PowerShell Fundamentals

SEC586.2: Know and Protect Thyself

SEC586.3: Find Evil



  • Basic understanding of programming concepts
  • Basic understanding of Information Security principles

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. You also must have 8 GB of RAM or higher for the virtual machine to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+ on your system prior to the beginning of class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
RAM: 8 gigabytes of RAM or higher is mandatory for this class (Important - Please Read: 8 GB of RAM or higher is mandatory)
USB 3.0 ports highly recommended
Disk: 50 gigabytes of free disk space
Administrative access to disable any host-based firewall
VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
A Windows virtual machine will be provided in class
Author Statement
"My Information Security experience has taught me that human analysis is a critical attribute of effective cyber defense. Yet, the very people who are critical to preventing, discovering, and responding to threats are often bogged down with manual work that, while it needs to be done, is done at the expense of more advanced efforts. At the same time, we're facing a critical personnel and skills shortage in Information Security, and many organizations are struggling to fill open positions.

"The immediate answer to these problems, in my opinion, is automation. PowerShell is a cross-platform automation engine that is uniquely positioned for this task. Blue Teams can transform their everyday operations by automating wherever possible. System auditing and hardening tasks can be streamlined via configuration as code and substantial automation, leaving room for professionals to interpret reporting and work on higher-level tasks. Detection and response tasks can also be significantly improved. Data aggregation and analysis can be performed automatically, leaving analysts with pre-filtered data of interest to aid in detection. For response, a pre-built toolkit can enable near real-time response actions such as quarantining systems on the network, interrogating suspicious hosts for more information, capturing artifacts for forensic analysis, or even automatically remediating common issues.

"SEC586 is designed to help teams raise the bar and spend time on what will provide the most value to their organizations. Deep automation alongside capable professionals flips the script and makes organizations a dangerous target for their adversaries."

-Josh Johnson


Start date Location / delivery
No fixed date Online Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...