Home Kansa -How to Get-Started
Post
Cancel

Kansa -How to Get-Started

Posted 2018-11-20 Updated 2022-09-06 3 min read

image

Introduction

This is a place to keep my notes on various projects so I don’t forget.

If not so, you can give it a read from here.

This guide aims to provide a starting place for Kansa PowerShell in an Active Directory network. You may refer to this as a Cheat-Sheet also.

This article will not contain everything you need to know about PowerShell. The following topics will be covered in a later article.

I will cover the following topics under this guide:

  1. Install Kansa for one host
  2. Usage example
  3. Running Modules standalone

Throughout the article, I will use Kansa PowerShell, to show how to retrieve information from Active Directory joined machines. This article has been created with references from a few other articles All used references for completing this article will be listed below.

Installation of Kansa

What is Kansa & Powershell

A modular incident response framework in Powershell.

This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects - making Powershell somewhat object oriented.

PreREQS:

Run the below on all Windows machines you need to remotely access (So all Windows machines you want Kansa to grab info from).

1
2

Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *

https://pastebin.com/ve4pPvV3

Check the Remote PowerShell with these commands

1
2

New-PSSession -ComputerName WIN-AD -Credential campus\Administrator
Get-PSSESSION

https://pastebin.com/XJRwvNNC

Download Install

Download latest build from github

1

https://github.com/davehull/Kansa

unzip it, and “unblock” the ps1 files.

The easiest way to do this if you’re using Powershell v3 or later is to cd to the directory where Kansa resides and do:

Unblock-File

1

ls -r *.ps1 | Unblock-File

Ensure that you check your execution policies with PowerShell:

1

Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestriced

image2

Usage example

Open an elevated Powershell Prompt (Right-click Run As Administrator)

At the command prompt, enter:

1

.kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .Modules -Verbose

The script should start collecting data or you may see an error aboutnot having Windows Remote Management enabled.

When it finishes running, you’ll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module.

Test WIN-AD

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

PS C:\Tools\Kansa-master> .\kansa.ps1 -Pushbin -Target WIN-AD -Credential chi.local\administrator -Authentication Negotiate
 
VERBOSE: Found Modules\\Modules.conf.
 
VERBOSE: Running modules:
 
Get-PrefetchListing
 
Get-Netstat
 
Get-DNSCache
 
Get-SmbSession
 
Get-LogWinEvent
 
Get-SchedTasks
 
Get-LocalAdmins
 
Get-Hotfix
 
VERBOSE: Waiting for Get-PrefetchListing to complete.
 
 
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command
 
--     ----            -------------   -----         -----------     --------             -------
 
1      Job1            RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-Netstat to complete.
 
3      Job3            RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-DNSCache to complete.
 
5      Job5            RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-SmbSession to complete.
 
7      Job7            RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-LogWinEvent Security to complete.
 
9      Job9            RemoteJob       Completed     True            WIN-AD               <# ...
 
VERBOSE: Waiting for Get-SchedTasks to complete.
 
11     Job11           RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-LocalAdmins to complete.
 
13     Job13           RemoteJob       Completed     True            WIN-AD               <#...
 
VERBOSE: Waiting for Get-Hotfix to complete.
 
15     Job15           RemoteJob       Completed     True            WIN-AD               <#...
 
PS C:\Tools\Kansa-master>

Running Modules Standalone

Kansa modules can be run as standalone utilities outside of the Kansa framework. Why might you want to do this? Consider netstat -naob, the output of the command line utility is ugly and doesn’t easily lenditself to analysis.

1

Modules\Net\Get-Netstat.ps1

as a standalone script will call netstat -naob, but it will return Powershell objects in an easy to read, easy to analyze format. You can easily convert its output to CSV, TSV or XML using normal Powershell cmdlets. Here’s an example:

1

.\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter "`t" -NoTypeInformation | % { $_ -replace "`"" } | Set-Content netstat.tsv

Image3

References

  1. Powershell Introdution from : https://tryhackme.com/room/powershell
  2. Kansa adhdproject : [adhdproject.github.io] (https://adhdproject.github.io/#!Windows/Kansa.md#Example_1:_Usage)
  3. 13Cubed video : [13cubed] (https://www.youtube.com/watch?v=OIT9oaFmXZU)
  4. Jon Ketchum : [SANS DFIR YouTube] (https://www.youtube.com/watch?v=ZyTbqpc7H-M)

Kansa for Enterprise Scale Threat Hunting, Jonathan Ketchum.pdf

Blue-Teaming
active-directory detection incident response
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents