davehull/Kansa davehull/Kansa

Frameworks
  • Stars
    star
    1,497
  • Rank 30,209 (Top 0.7 %)
  • Language
    PowerShell
  • License
    Apache License 2.0
  • Created about 10 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
davehull/Kansa
github

davehull

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Powershell incident response framework

Kansa

A modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and later and works mostly without issue.

But really, upgrade to PSv3 or later. Be happy.

More info:
http://trustedsignal.blogspot.com/search/label/Kansa
http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

What does it do?

It uses Powershell Remoting to run user contributed, ahem, user contri-
buted modules across hosts in an enterprise to collect data for use
during incident response, breach hunts, or for building an environmental
baseline.

How do you use it?

Here's a very simple command line example you can run on your own local
host.

  1. After downloading the project and unzipping it, you'll likely need
    to "unblock" the ps1 files. The easiest way to do this if you're using
    Powershell v3 or later is to cd to the directory where Kansa resides
    and do:
ls -r *.ps1 | Unblock-File
  1. Ensure that you check your execution policies with PowerShell. Check Using the Set-ExecutionPolicy Cmdlet for information on how to do so within your environment.
Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted
  1. If you're not running PS v3 or later, Sysinternal's Streams utility can
    be used to remove the alternate data streams that Powershell uses to
    determine if files came from the Internet. Once you've removed those
    ADSes, you'll be able to run the scripts without issue.
c:\ streams -sd <Kansa directory>

I've not run into any issues running the downloaded scripts via Windows
Remote Management / Powershell Remoting through Kansa, so you shouldn't
have to do anything if you want to run the scripts via remoting.

  1. Open an elevated Powershell Prompt (Right-click Run As Administrator)

  2. At the command prompt, enter:

.\kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .\Modules -Verbose

The script should start collecting data or you may see an error about
not having Windows Remote Management enabled. If so, do a little
searching online, it's easy to turn on. Turn it on and try again. When
it finishes running, you'll have a new Output_timestamp subdirectory,
with subdirectories for data collected by each module. You can cd into
those subdirectories and checkout the data. There are some analysis
scripts in the Analysis directory, but many of those won't make sense
on a collection of data from a single host. Kansa was written for
collection and analysis of data from dozens, hundreds, thousands, tens
of thousands of systems.

Running Modules Standalone

Kansa modules can be run as standalone utilities outside of the Kansa
framework. Why might you want to do this? Consider netstat -naob, the
output of the command line utility is ugly and doesn't easily lend
itself to analysis. Running

Modules\Net\Get-Netstat.ps1

as a standalone script will call netstat -naob, but it will return
Powershell objects in an easy to read, easy to analyze format. You can
easily convert its output to CSV, TSV or XML using normal Powershell
cmdlets. Here's an example:

.\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation | % { $_ -replace "`"" } | Set-Content netstat.tsv

the result of the above will be a file called netstat.tsv containing
unquoted, tab separate values for netstat -naob's ouput.

Caveats:

Powershell relies on the Windows API. Your adversary may use subterfuge.*

  • Collectors can be written to bypass the Windows API as well.
    Get-RekallPslist.ps1 for example.

More Repositories

1

Mal-Seine

Why hunt when you can seine?
PowerShell
21
star
2

VirusTotalShell

A fork of David B Heise's VirusTotal Powershell Module
PowerShell
17
star
3

Get-StakRank

A Powershell script for frequency analysis of separated values data files.
PowerShell
17
star
4

autorunalyzer

A Python script for performing analysis of the output from Microsoft's Sysinternals Autoruns.
Shell
15
star
5

MCC

Tracking my work through the Matasano Crypto Challenges
PowerShell
8
star
6

body-outliers

A Python script for finding outliers in fls bodyfiles (see The Sleuth Kit) based on given metadata elements like metadata address, atime, ctime, crtime and mtime.
Python
5
star
7

PSProfile

A new repo to contain my psprofile
PowerShell
4
star
8

body-ugid-dist

A Python script that parses the contents of an fls bodyfile (see The Sleuth Kit) and outputs the distribution of u/gids per directory. This has been useful for finding malicious code that an attacker has placed on a Linux host while neglecting to change u/gids to match "normal" values for the given directory.
Python
4
star
9

body-meta-dist

A Python script that parses the contents of an fls bodyfile (see The Sleuth Kit) and outputs the distribution of the metadata element passed as an argument.
Python
4
star
10

meta-outliers

A Python script that finds files with metadata addresses that are n standard deviations from the average metadata address of files on a per directory basis.
Python
3
star
11

Get-WebFile

Powershell script based on Boe Prox's Get-WebPage.ps1, but this one pulls down a specific file
3
star
12

Exif2GeoRSS

Takes GPS Exif metadata from image files (or whatever) and creates a GeoRSS file suitable for import into Bing Maps. See http://trustedsignal.blogspot.com/2012/02/plotting-photo-location-data-with-bing.html.
Python
3
star
13

Get-Fields

Returns the field names from a separated values file, assuming the first line contains a header.
1
star
14

Add-Header

Utility script for adding a header to a data file
PowerShell
1
star