It features a core script, dozens of collector modules and analysis scripts to help make sense of the data collected. Or you could check out Kansa, a free, open source, PowerShell-based incident response framework hosted at. For more on that, read this.Īt this point, you know what took me awhile to figure out and you could start writing your own code with these lessons in mind.
Using it during a security investigation in a compromised environment may actually be increasing risk by exposing more privileged credentials to an adversary. Lastly and very importantly, using CredSSP should be avoided. Secondly, copying a script to every host in your environment means you’re not taking advantage of Windows Remote Management and PowerShell’s ability to run jobs across multiple hosts in parallel.
You could do what I did a couple years ago and write a monolithic PowerShell script to collect the data you need for your investigation and copy that script to every host in your environment, maybe requiring CredSSP to pull third-party binaries like Sysinternal’s Autorunsc from a file server or to write output to a file server, but that would be a bad idea.įor starters, a monolithic script written to collect many different data points will be cumbersome if you later want to collect a single data point from multiple hosts.
Kansa: A PowerShell-based incident response framework This article is not endorsed by Microsoft. DisclaimerĪt this point, I should provide the following disclaimer: This article is solely representative of the views and opinions of the author, Dave Hull, and is not intended to state or reflect those of Microsoft Corporation, the author’s employer. Readers of PowerShell Magazine understand that PowerShell can provide much of this capability for Windows systems. Investigators may need to gather data from many or even all machines within a given domain or other security boundary to look for indicators of compromise or anomalous activity. In the early going, the investigative focus may be narrow - the known victim machine, but the scope often quickly expands. How did the account get there? How long has it been there? What has it been used for and by whom? Maybe the incident started because someone noticed an account added to the domain administrators group. In many enterprises, computer security incident response (IR) teams exist to respond to these threats and these teams nearly always spring into action with very limited knowledge about the incidents they are investigating. If you follow information security, you know that information systems are constantly under attack and often fall victim to adversaries looking to make a quick buck, gain competitive advantage through theft of intellectual property or embarrass a target that they find politically or ideologically offensive.
0 kommentar(er)
