{"id":13641913,"url":"https://github.com/davehull/Kansa","last_synced_at":"2025-04-20T12:30:53.847Z","repository":{"id":14836785,"uuid":"17559683","full_name":"davehull/Kansa","owner":"davehull","description":"A Powershell incident response framework","archived":false,"fork":false,"pushed_at":"2022-11-22T02:14:29.000Z","size":1139,"stargazers_count":1593,"open_issues_count":46,"forks_count":272,"subscribers_count":143,"default_branch":"master","last_synced_at":"2025-04-07T22:10:02.317Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"Yubico/yubikey-val","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/davehull.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-03-09T07:08:39.000Z","updated_at":"2025-04-07T16:53:20.000Z","dependencies_parsed_at":"2022-07-16T23:16:19.749Z","dependency_job_id":null,"html_url":"https://github.com/davehull/Kansa","commit_stats":null,"previous_names":[],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davehull%2FKansa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davehull%2FKansa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davehull%2FKansa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davehull%2FKansa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/davehull","download_url":"https://codeload.github.com/davehull/Kansa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249893356,"owners_count":21341434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:25.624Z","updated_at":"2025-04-20T12:30:53.071Z","avatar_url":"https://github.com/davehull.png","language":"PowerShell","funding_links":[],"categories":["🧰 Frameworks","PowerShell","PowerShell (153)","Frameworks","Tools"],"sub_categories":[],"readme":"Kansa\n=====\n\nA modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and\nlater and works mostly without issue.\n\nBut really, upgrade to PSv3 or later. Be happy.\n\nMore info:  \nhttp://trustedsignal.blogspot.com/search/label/Kansa  \nhttp://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/  \n\n## What does it do?\nIt uses Powershell Remoting to run user contributed, ahem, user contri-  \nbuted modules across hosts in an enterprise to collect data for use  \nduring incident response, breach hunts, or for building an environmental  \nbaseline.\n\n## How do you use it?\nHere's a very simple command line example you can run on your own local  \nhost.  \n\n1.  After downloading the project and unzipping it, you'll likely need  \nto \"unblock\" the ps1 files. The easiest way to do this if you're using  \nPowershell v3 or later is to cd to the directory where Kansa resides  \nand do:  \n```Powershell\nls -r *.ps1 | Unblock-File\n```\n1. Ensure that you check your execution policies with PowerShell. Check [Using the Set-ExecutionPolicy Cmdlet](https://technet.microsoft.com/en-us/library/ee176961.aspx) for information on how to do so within your environment.  \n```\nSet-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted\n```\n1. If you're not running PS v3 or later, [Sysinternal's Streams utility](https://technet.microsoft.com/en-us/sysinternals/streams.aspx) can  \nbe used to remove the alternate data streams that Powershell uses to  \ndetermine if files came from the Internet. Once you've removed those  \nADSes, you'll be able to run the scripts without issue.  \n```\nc:\\ streams -sd \u003cKansa directory\u003e\n```\n\nI've not run into any issues running the downloaded scripts via Windows  \nRemote Management / Powershell Remoting through Kansa, so you shouldn't  \nhave to do anything if you want to run the scripts via remoting.  \n\n2.  Open an elevated Powershell Prompt (Right-click Run As Administrator)  \n\n3.  At the command prompt, enter:\n```Powershell\n.\\kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .\\Modules -Verbose  \n```\nThe script should start collecting data or you may see an error about  \nnot having Windows Remote Management enabled. If so, do a little  \nsearching online, it's easy to turn on. Turn it on and try again. When  \nit finishes running, you'll have a new Output_timestamp subdirectory,  \nwith subdirectories for data collected by each module. You can cd into  \nthose subdirectories and checkout the data. There are some analysis  \nscripts in the Analysis directory, but many of those won't make sense  \non a collection of data from a single host. Kansa was written for  \ncollection and analysis of data from dozens, hundreds, thousands, tens  \nof thousands of systems.  \n\n## Running Modules Standalone\nKansa modules can be run as standalone utilities outside of the Kansa  \nframework. Why might you want to do this? Consider netstat -naob, the  \noutput of the command line utility is ugly and doesn't easily lend  \nitself to analysis. Running  \n```Powershell\nModules\\Net\\Get-Netstat.ps1\n```\nas a standalone script will call netstat -naob, but it will return  \nPowershell objects in an easy to read, easy to analyze format. You can  \neasily convert its output to CSV, TSV or XML using normal Powershell  \ncmdlets. Here's an example:  \n```Powershell\n.\\Get-Netstat.ps1 | ConvertTo-CSV -Delimiter \"`t\" -NoTypeInformation | % { $_ -replace \"`\"\" } | Set-Content netstat.tsv\n```\nthe result of the above will be a file called netstat.tsv containing  \nunquoted, tab separate values for netstat -naob's ouput.\n\n## Caveats:\nPowershell relies on the Windows API. Your adversary may use subterfuge.*\n\n* Collectors can be written to bypass the Windows API as well.  \nGet-RekallPslist.ps1 for example.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavehull%2FKansa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavehull%2FKansa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavehull%2FKansa/lists"}