Kansa: a powershell incident response framework
Automated acquisition of data from thousands of hosts with Powershell!
Kansa is a powershell framework designed by Dave Hull to support massive data collections.
It permits to easily scaling to thousands of systems via powershell remoting, but is not confined only to powershell: it can exec virtually anything.
What does it do?
It uses Powershell Remoting to run user contributed, ahem, user contri-
buted modules across hosts in an enterprise to collect data for use
during incident response, breach hunts, or for building an environmental
baseline.
Installation
Simply download latest build from github, unzip it, and “unblock” the ps1 files.
The easiest way to do this if you’re using Powershell v3 or later is to cd to the directory where Kansa resides and do:
ls -r *.ps1 | Unblock-File
Ensure that you check your execution policies with PowerShell:
Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestriced
Usage example
Open an elevated Powershell Prompt (Right-click Run As Administrator)
At the command prompt, enter:
.kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .Modules -Verbose
The script should start collecting data or you may see an error aboutnot having Windows Remote Management enabled.
When it finishes running, you’ll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module.
References
- davehull/Kansa
- trustedsignal -- blog
- Kansa: A PowerShell-based incident response framework
- dave hull (@davehull) | Twitter