Training 2017 - Offensive PowerShell for Red and Blue Teams

Training 2017 - Offensive PowerShell for Red and Blue Teams

From BruCON 2017

Jump to: navigation, search

Offensive PowerShell for Red and Blue Teams

After the great success last year (+30 students), we are bringing this back to you ! In this course, you'll learn how to attack Windows network using PowerShell, based on real world Red team assessments. The course runs on a lab network with multiple active directory forests to which attendees will have free access for one month after the raining. The class consists of hands-on, challenges and demonstrations.

Course Description

Penetration Tests and Red Team operations for secured environments need altered approaches. You cannot afford to touch disk, throw executables and use memory corruption exploits without the risk of being ineffective as a simulated adversary. To enhance offensive tactics and methodologies, PowerShell is the tool of choice.

PowerShell has changed the way Windows networks are attacked. It is Microsoft’s shell and scripting language available by default in all modern Windows computers. It could interact with .Net, WMI, COM, Windows API, Registry and other computers on a Windows Domain. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell.

This training is aimed towards attacking Windows network using PowerShell and is based on real world penetration tests and Red Team engagements for highly secured environments. The course runs as a penetration test of a secure environment (Forest functional level 2012 R2 and fully patched servers) with detailed discussion and use of custom PowerShell scripts in each phase. Attendees begin with getting a foothold machine and work their way up to Enterprise Admin privileges using multiple methods. Some of the techniques (see the course content for details), implemented using PowerShell, used in the course:

  • In-memory script and shellcode execution using client side attacks.
  • Extensive AD Enum and Trust mapping
  • Privilege Escalation (User Hunting, Delegation issues and more)
  • Kerberos Attacks and Defense (Golden, Silver ticket, Kerberoast and more)
  • Abusing cross forest trust (Lateral movement across forest, PrivEsc and more)
  • Abusing SQL Server trust in AD (Command Execution, trust abuse, lateral movement)
  • Credentials Replay Attacks (Over-PTH, Token Replay etc.)
  • Persistence (WMI, GPO and more)
  • Bypassing defenses (App whitelisting, AMSI, Advanced Threat Analytics etc.)
  • Dump Windows passwords, Web passwords, Wireless keys, LSA Secrets and other system secrets in plain text
  • Using DNS, HTTPS, Gmail etc. as communication channels for shell access and exfiltration.
  • Network relays, port forwarding and pivots to other machines.

The course is a mixture of demonstrations, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools. Attendees will get free one month access to a complete Active Directory environment comprising multiple forests after the training. Attendees would be able to write own scripts and customize existing ones for security testing after this training. This training aims to change how you test a Windows based environment.

Course contents

Day 1 – PowerShell Essentials

  • Introduction to PowerShell
    • Language Essentials
    • Using ISE
    • Help system
    • Syntax of cmdlets and other commands
    • Variables, Operators, Types, Output Formatting
    • Conditional and Loop Statements
    • Functions
    • Modules
    • PowerShell Remoting and Jobs
    • Writing simple PowerShell scripts
  • Extending PowerShell with .Net
  • Accessing Windows API
  • WMI with PowerShell
  • Playing with the Windows Registry
  • COM Objects with PowerShell

Day 2 – Getting a foothold

  • Recon, Information Gathering and the likes
  • Vulnerability Scanning and Analysis
  • Exploitation – Getting a foothold
    • Exploiting MSSQL Servers
    • Client Side Attacks with PowerShell
    • PowerShell with Human Interface Devices
    • Writing shells in PowerShell
    • Using Metasploit and PowerShell together

Day 3 – Post Exploitation and Lateral Movement

  • Post-Exploitation – What PowerShell is actually made for
    • Domain Enumeration and Information Gathering
    • Privilege Escalation
    • Dumping System and Domain Secrets
  • Kerberos attacks (Golden, Silver Tickets and more)
  • Abusing Forest Trusts
  • Pivoting to other machines
  • Achieving Persistence
  • Detecting and stopping PowerShell attacks
  • Bypassing defenses (App whitelisting, AMSI, Advanced Threat Analytics etc.)

What would the attendees gain

  • One month access to the online lab.
  • PowerShell Hacker’s Cheat Sheet, solutions to exercises, sample source code, Lab manual, Lab machines (VM) , updated tools and extra slides explaining things which could not be covered.
  • The attendees would learn a powerful attack method which could be applied from day one after the training.
  • The attendees would understand that it is not always required to use third party executables, non-native code or memory corruption exploits on the targets.
  • The attendees would learn how PowerShell reduces dependence on existing frameworks yet seamlessly integrates with them.

Target audience

Red Teamers, Penetration testers, Blue teamers, System administrators and security professionals.


  • Basic understanding of how penetration tests are done.
  • Basic understanding of a programming or scripting language could be helpful but is not mandatory.
  • An open mind.

Hardware/software Requirements

Ability to RDP to Windows machines

Ability to install OpenVPN client and connect to VPN networks.


Realistic training! Taught me how to break the latest and greatest in an active directory environment using PowerShell” – European Telecom Company

Really good, engaging lecturer! His enthusiasm was good, he was clearly knowledgeable” – European Govt. agency

I thoroughly enjoyed getting to grips with some of the tools and techniques used in penetration testing.” - European Govt. agency

Trainer Biography


Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has 8+ years of experience in Penetration Testing and Red teaming for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like Defcon, BlackHat, CanSecWest, Shakacon, BruCON, Troopers, DeepSec, PHDays, Hackfest and more.

300px-twitter-icon.jpg @nikhil_mitt

Links :

Mon. 2 - 4 October 2017 (09:00 - 17:00) (3-day) - Novotel Ghent Centrum


Back to Training Overview