Back to All Events

An Intro to PowerShell and How to Use It for Evil

  • TekSystems 200 South College Street (BBNT BUILDING) Suite 1200 Charlotte, NC 28202 (map)

PowerShell has established itself as the language of choice for anyone that works with Windows and this isn’t limited to just Systems Administrators. Cutting edge Windows attacks and techniques are being developed in PowerShell and are being seen in the wild. As Penetration Testers, it is our job to stay relevant and represent a realistic threat to an environment and now that means knowing how to use PowerShell to attack a network.

This two day course is designed to take people with little to no scripting knowledge and help them learn how to effectively use PowerShell to test a network's security. You’ll learn not just how to use existing offensive tools, but how to create your own scripts and modules to handle various stages of an engagement. We’ll cover common Windows attacks in depth, including how token impersonation works and how relay attacks work. To wrap the course up, you’ll learn about how you can detect PowerShell attacks so that you can defend against them in your own network.


No scripting or programming experience is required. Students should have a basic understanding of Windows and be familiar with running Virtual Machines.

Course Overview

Day 1

  • Intro to PowerShell

  • Integers, strings and other things

  • Variables

    • Built in variables

    • Defining/using variables

  • Logic (if/else/then/while)

  • Functions

  • Getting Help

  • Error handling

  • Writing basic scripts

  • Living off the land

    • Editing the Registry

    • WMI/COM interaction

    • Interacting with Active Directory

    • PowerShell Remote Access techniques

  • Modern PowerShell Attack techniques

    • Methodologies

    • Local Frameworks

  • Recon

    • Vulnerabilities

    • High Value Users

    • Passwords

Day 2

  • Day 1 Recap

  • Using .NET from within PowerShell

  • Writing (moderately) complex scripts/modules

  • Networking Tricks

    • Relaying

    • Powercat

    • Working with Windows Firewall

  • Kerberos Dive

    • What is Kerberos

    • Kerberos attacks (Golden/Silver tickets, etc)

  • Privilege Escalation

  • Creating Backdoors

  • Working with Volume Shadow Copies

  • Exfiltration

  • Remote Frameworks

    • Powershell and Metasploit

    • Empire

  • “To catch a PowerShell hacker”

    • What events are logged

    • WMI Queries

    • Protecting your environment

Class Requirements

Students will be required to bring their own laptops for the class. Laptops should have at least 8GB of RAM (16GB preferred) as students will be using a variety of Virtual Machines throughout the course. Laptops should have virtualization software capable of handling OVA files (such as Virtualbox or VMWare Player).

About the Instructor

Jared Haight (@jaredhaight) spent 10 years as a Systems Administrator where (once it came out) he used PowerShell to handle any task that he had to do more than once. Now as a Penetration Tester for Gotham Digital Science, he uses his knowledge of PowerShell on engagements to help companies improve their security posture. He has spent the last four years teaching people how to use PowerShell and created the PS>Attack platform to help Penetration Testers easily add PowerShell to their toolkit.


Register for the event here.