ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- As a continuation of the "Introduction to Windows Forensics" series, this episode covers a powerful, PowerShell-based incident response framework called Kansa. Kansa uses PowerShell Remoting to run user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline. This framework can be run across a single host, or even tens of thousands of hosts.
We’ll first look at the included modules and run some of them to learn how and what information Kansa collects. Then we'll run the tool against a Windows 10 machine and then analyze the exported CSV data with Timeline Explorer. I think you'll be amazed by the results!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
🖥 Commands Used in This Episode
Set-NetConnectionProfile -NetworkCategory Private
Enable-PSRemoting
DO NOT USE THE COMMANDS BELOW IN PRODUCTION ENVIRONMENTS
###############################################################
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/client '@{AllowUnencrypted="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
###############################################################
.\kansa.ps1 -Target localhost -ModulePath .\Modules -Verbose -Authentication basic -Credential (Get-Credential)
Kansa (GitHub):
github.com/dav...
Download Eric Zimmerman's Tools:
ericzimmerman....
If you're new to PowerShell Remoting, check this out:
www.networkadm...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Just got finished covering this in SANS SEC511. Nice framework for DFIR on Windows.
Thanks for making this video.
Would you please make a video on enterprise level running these scripts?
For example: you can consider couple of VMs (hosts) > run the scripts > "analyse output collected from multiple hosts from single file"
Great job as usual! This helped compliment some of my SANS 508 material.
Im looking for ways to continue it as well
Thank you, please continue to make videos like these, love your work!
Hello, I'm finishing my studies as SysAdmin and I have to do a little job, I've been assigned to do one about Kansa and this video have been very helpful to fully understand how it works. ty very much and greetings from Canary Islands!
Is Kansa abandonware? It was featured heavily in SANS FOR508, but it seems the project hasn’t seen any updates in two years.
It seems that way, sadly. But, at least the framework can be easily adapted as you need and can still prove to be quite useful.
Absolutely! Great video. I've used Kansa in the past.
I'd love if you could cover aggregating and analyzing outputs from multiple hosts.!!!
Good work, just finished the whole playlist and it was very informative.
Your content are always helpful. Thanks for the video.
Thanks for this amazing intro course. learned many new things :)
amazing, thanks for this Video!!!
Great..I would love to see more videos on Kansa.
My favorite channel in youtube. Thank you!
Please make a video on Skadi tool
You guys are awesome. Keep it up!
Thanks for the video...
Great tool !
Great stuff!
Great stuff! But as soon as this runs in a enterprise it askes for Remote Administration for AD to be installed - which we can not do on isolated and hosts that are not suppose to have it.
Subscribed!