CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Security Operations with PowerShell Core

Following along with the spirit of powershelling all of the things, open-source PowerShell and PScore 7+ supported all OS platforms; it is time to learn multi-platform PowerShell security operations. Stopping there? No way! With information coming from every source imaginable, you need a way to collect and analyze that information. Which is a perfect job for everyone's favorite open source database/interface solution, the Elastic Stack. Powershell is either already in place or allowed by default in many restricted environments and makes and makes for a ubiquitous living on the land binary for defensive cyber operators.

Whether performing continuous monitoring, intermittent threat hunting, or incident response, having access to the devices and resources available in your respective enterprise is a success condition. In this workshop, you learn how to install PowerShell cor 7 (current release) on Windows, Linux, and macOS devices through different local and remote install options. Next, you learn to leverage winRM for windows and ssh remoting for nix/osx devices to create power shell remote connections to each device. With PowerShell remote sessions established to every device, everything is pretty familiar. Pull net connections, query running process, and several other available queries useful for identifying malicious activity and pull that back to your centralized “security operations” endpoint. If you don't have the flexibility to create an elasticsearch service in your environment, don't sweat it. Aggregating, analyzing, and reporting interesting findings with nothing more than PowerShell is the perfect tool for your toolbelt. But, for when the opportunity arises, you will learn to quickly spin up a cloud instance, convert your freshly procured security opeartions data into json, ingest ,and analyze in kibana with ease and dashboard creating swag over 9000.

  • Setting Up your PowerShell Environment 15 min

  • Powershell Network Discover and Enumeration 20 min

  • Deploying PowerShell core 7 on dissimilar OS's 15 min

  • Creating Powershell Remoting Sessions with Winrm and SSH 20 min

  • Running OS information queries across your Environment 20 min

  • Collecting and Analyzing Information with PowerShell 10 min

  • Analyzing Powershell Collected Information with the Elastic Stack 20 min

Pre-Requirements: Create an elasticsearch cloud trial account, have 1 of each a Linux OS and 1 Windows OS, VM, or hard box prepared. If you also are virtualizing these on a Mac, then that is helpful, but we will have a Mac device for you to connect to if you like (be nice).

Aaron Rosenmund and Brandon DeVault

Aaron M. Rosenmund is a cyber security operations and incident response subject matter expert, with a background in federal and business system administration, virtualization and automation. Leveraging administration and automation experience, Aaron has contributed to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community, his efforts as an educator/researcher at Pluralsight, and advance the capabilities of the Air National Guard where he serves part time on a Cyber Mission Defense Team. Understanding the need for the cyber security workforce to be dynamically learning to keep pace with the ever changing cyber threat landscape, he has dedicated himself to researching,
teaching and sharing experiences and capabilities with the community to fill the knowledge gap that currently exists.

Brandon DeVault is a security analyst, incident responder, and educator. Background in network administration and hardware hacking. Previous experience with Special Operations Command (SOCOM) on deployable communication teams. Part-time member of the Air National Guard on a Mission Defense Team (SOC) defending North America’s air tracks. Currently working as an Engineer for Elastic performing security consulting and education.