This guide is focused on getting Kansa up and running in an enterprise environment. PowerShell has a few safeguards you have to remove before it will let you run with the privileges you require.

What is Kansa?

Kansa is an Incident Response Framework that runs in PowerShell. Its primary purpose is to pull logs from multiple Windows machines that are running the same AD domain.

Resources:

• Kansa Project
• My IR Scripts

Setup Process

Initial Setup

Run PowerShell as Administrator and navigate to your working directory. Download and extract the scripts:

1
2

wget https://github.com/Gareth-Rouse/IR-Scripts/archive/master.zip -O KansaScripts.zip
Expand-Archive KansaScripts.zip

Configure PowerShell Execution Policy

Navigate to the KansaScripts directory and set the execution policy:

1
2

cd KansaScripts
.\Set Exe Policy

Unblock PowerShell Files

If you encounter script blocking issues, unblock the PowerShell files:

1

.\Unblock PS files

Install Prerequisites

If you hit errors for missing prerequisites, run the setup script:

1

.\Kansa Setup

Download Kansa Framework

Download the main Kansa framework:

1

.\DL Kansa

Running Kansa

Navigate to the master directory and execute Kansa with target parameters:

1
2

cd master
.\kansa.ps1 -Target $env:COMPUTERNAME

Note: The variable $env:COMPUTERNAME returns the current host’s name. This can be replaced with hostnames of any machines you wish to target.

Output and Results

After a short time, you should have the logs stored in an output folder.

Tip: If Kansa gets stuck, Ctrl+C will only cancel the current log type and move to the next one.

Additional Resources

For more detailed information, read the comprehensive documentation at: Kansa Documentation

Happy Hunting! 🔍

This framework is invaluable for incident response teams working in Windows environments. Kansa’s ability to quickly gather forensic data across multiple systems makes it an essential tool in any IR toolkit.

Last modified on 2025-06-25