Introduction to Kansa - PowerShell-based Incident Response
Вставка
- Опубліковано 15 гру 2019
- As a continuation of the "Introduction to Windows Forensics" series, this episode covers a powerful, PowerShell-based incident response framework called Kansa. Kansa uses PowerShell Remoting to run user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. This framework can be run across a single host, or even tens of thousands of hosts.
We’ll first look at the included modules and run some of them to learn how and what information Kansa collects. Then we'll run the tool against a Windows 10 machine and then analyze the exported CSV data with Timeline Explorer. I think you'll be amazed by the results!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
🖥 Commands Used in This Episode
Set-NetConnectionProfile -NetworkCategory Private
Enable-PSRemoting
DO NOT USE THE COMMANDS BELOW IN PRODUCTION ENVIRONMENTS
###############################################################
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
###############################################################
.\kansa.ps1 -Target localhost -ModulePath .\Modules -Verbose -Authentication basic -Credential (Get-Credential)
Kansa (GitHub):
github.com/davehull/Kansa
Download Eric Zimmerman's Tools:
ericzimmerman.github.io
If you're new to PowerShell Remoting, check this out:
www.networkadm.in/securing-po...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics - Наука та технологія
Hello, I'm finishing my studies as SysAdmin and I have to do a little job, I've been assigned to do one about Kansa and this video have been very helpful to fully understand how it works. ty very much and greetings from Canary Islands!
Thanks for making this video.
Would you please make a video on enterprise level running these scripts?
For example: you can consider couple of VMs (hosts) > run the scripts > "analyse output collected from multiple hosts from single file"
Thank you, please continue to make videos like these, love your work!
Your content are always helpful. Thanks for the video.
My favorite channel in youtube. Thank you!
Great job as usual! This helped compliment some of my SANS 508 material.
Im looking for ways to continue it as well
Thanks for this amazing intro course. learned many new things :)
Good work, just finished the whole playlist and it was very informative.
You guys are awesome. Keep it up!
Absolutely! Great video. I've used Kansa in the past.
I'd love if you could cover aggregating and analyzing outputs from multiple hosts.!!!
Great stuff!
Great..I would love to see more videos on Kansa.
amazing, thanks for this Video!!!
Thanks for the video...
Just got finished covering this in SANS SEC511. Nice framework for DFIR on Windows.
Great tool !
Subscribed!
Please make a video on Skadi tool
Is Kansa abandonware? It was featured heavily in SANS FOR508, but it seems the project hasn’t seen any updates in two years.
It seems that way, sadly. But, at least the framework can be easily adapted as you need and can still prove to be quite useful.
Great stuff! But as soon as this runs in a enterprise it askes for Remote Administration for AD to be installed - which we can not do on isolated and hosts that are not suppose to have it.