Kansa, an IR Framework
This guide is focused on getting Kansa up and running in an enterprise environment. PowerShell has a few safeguards you have to remove before it will let you run with the privileges you require.
Link to the Kansa project: https://github.com/davehull/Kansa
My scripts: https://github.com/Gareth-Rouse/IR-Scripts
Kansa is an Incident Response Framework that runs in PowerShell. Its primary purpose is to pull logs from multiple windows machines that are running the same AD domain.
Using Kansa
Run PowerShell as Admin. cd to a directory to work from. DL and extract the Scrips by using:
wget https://github.com/Gareth-Rouse/IR-Scripts/archive/master.zip -O KansaScrips.zip; Expand-Archive KansaScrips.zip
We then have to set the PowerShell Execution Policy to allow Kansa to run. Cd into KansaScripts.
.\Set Exe Policy
At some point we may have to unblock PS scrips to allow them to run, when this is the case use:
.\Unblock PS files
If you hit error for not having the correct prerequisites run:
.\Kansa Setup
DL Kansa:
.\DL Kansa
cd into the master directory and run kansa with these parameters:
.\kansa.ps1 -Target $env:COMPUTERNAME
The variable $env:COMPUTERNAME will return a string of the currents host’s name, this can be replaced with the hostnames of whatever machine you wish to target.
After a short time, you should have the logs stored in an output folder. If kansa gets stuck Ctrl+C will only cancel one log type and move to the next one.
For more information go read the documentation at: https://github.com/davehull/Kansa/blob/master/README.md
>>>>>————————> Happy hunting <————————<<<<<