Introduction
This is a place to keep my notes on various projects so I don’t forget.
If not so, you can give it a read from here.
This guide aims to provide a starting place for Kansa PowerShell in an Active Directory network. You may refer to this as a Cheat-Sheet also.
This article will not contain everything you need to know about PowerShell. The following topics will be covered in a later article.
I will cover the following topics under this guide:
- Install Kansa for one host
- Usage example
- Running Modules standalone
Throughout the article, I will use Kansa PowerShell, to show how to retrieve information from Active Directory joined machines. This article has been created with references from a few other articles All used references for completing this article will be listed below.
Installation of Kansa
What is Kansa & Powershell
A modular incident response framework in Powershell.
This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects - making Powershell somewhat object oriented.
PreREQS:
Run the below on all Windows machines you need to remotely access (So all Windows machines you want Kansa to grab info from).
1
2
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
https://pastebin.com/ve4pPvV3
Check the Remote PowerShell with these commands
1
2
New-PSSession -ComputerName WIN-AD -Credential campus\Administrator
Get-PSSESSION
https://pastebin.com/XJRwvNNC
Download Install
Download latest build from github
1
https://github.com/davehull/Kansa
unzip it, and “unblock” the ps1 files.
The easiest way to do this if you’re using Powershell v3 or later is to cd to the directory where Kansa resides and do:
Unblock-File
1
ls -r *.ps1 | Unblock-File
Ensure that you check your execution policies with PowerShell:
1
Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestriced
Usage example
Open an elevated Powershell Prompt (Right-click Run As Administrator)
At the command prompt, enter:
1
.kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .Modules -Verbose
The script should start collecting data or you may see an error aboutnot having Windows Remote Management enabled.
When it finishes running, you’ll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module.
Test WIN-AD
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
PS C:\Tools\Kansa-master> .\kansa.ps1 -Pushbin -Target WIN-AD -Credential chi.local\administrator -Authentication Negotiate
VERBOSE: Found Modules\\Modules.conf.
VERBOSE: Running modules:
Get-PrefetchListing
Get-Netstat
Get-DNSCache
Get-SmbSession
Get-LogWinEvent
Get-SchedTasks
Get-LocalAdmins
Get-Hotfix
VERBOSE: Waiting for Get-PrefetchListing to complete.
Id Name PSJobTypeName State HasMoreData Location Command
-- ---- ------------- ----- ----------- -------- -------
1 Job1 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-Netstat to complete.
3 Job3 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-DNSCache to complete.
5 Job5 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-SmbSession to complete.
7 Job7 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-LogWinEvent Security to complete.
9 Job9 RemoteJob Completed True WIN-AD <# ...
VERBOSE: Waiting for Get-SchedTasks to complete.
11 Job11 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-LocalAdmins to complete.
13 Job13 RemoteJob Completed True WIN-AD <#...
VERBOSE: Waiting for Get-Hotfix to complete.
15 Job15 RemoteJob Completed True WIN-AD <#...
PS C:\Tools\Kansa-master>
Running Modules Standalone
Kansa modules can be run as standalone utilities outside of the Kansa framework. Why might you want to do this? Consider netstat -naob, the output of the command line utility is ugly and doesn’t easily lenditself to analysis.
1
Modules\Net\Get-Netstat.ps1
as a standalone script will call netstat -naob, but it will return Powershell objects in an easy to read, easy to analyze format. You can easily convert its output to CSV, TSV or XML using normal Powershell cmdlets. Here’s an example:
1
.\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation | % { $_ -replace "`"" } | Set-Content netstat.tsv
References
- Powershell Introdution from : https://tryhackme.com/room/powershell
- Kansa adhdproject : [adhdproject.github.io] (https://adhdproject.github.io/#!Windows/Kansa.md#Example_1:_Usage)
- 13Cubed video : [13cubed] (https://www.youtube.com/watch?v=OIT9oaFmXZU)
- Jon Ketchum : [SANS DFIR YouTube] (https://www.youtube.com/watch?v=ZyTbqpc7H-M)
Kansa for Enterprise Scale Threat Hunting, Jonathan Ketchum.pdf