Hot Topics

Kansa

Hunting injected processes by the modules they keep

| | analysis, digital investigations, Incident Detection, Incident Response, IR, Kansa, Kansa collector command line arguments, Kansa collectors, Triage, Windows
A relatively recent post showed how Metasploit's Meterpreter module made some noise on endpoints when the migrate command was used to move the agent code into a legitimate process, spoolsv.exe in our ...
trustedsignal -- blog
Kansa: Get-LogparserStack.ps1

Kansa: Get-LogparserStack.ps1

| | autoruns, frequency analysis, Kansa, least frequent occurrence, Logparser, stack ranking, stacking
Kansa is an incident response framework written in PowerShell, useful for data collection and analysis. Most of the analysis capabilities in Kansa require Logparser, which is a very handy tool for creating ...
trustedsignal -- blog
Kansa: Get-AutorunscDeep.ps1 -- Taking Autorunsc to 11

Kansa: Get-AutorunscDeep.ps1 — Taking Autorunsc to 11

| | asep, autoruns, DFIR, entropy, Get-AutorunscDeep.ps1, IR, Kansa, persistence
I wanted to put up a quick post about a new Kansa collector I recently added -- Get-AutorunscDeep.ps1. Sysinternals' Autoruns is a great utility for finding auto-start extension points in Windows and ...
trustedsignal -- blog

Kansa: Passing arguments to collector modules

| | Kansa, Kansa collector command line arguments, Kansa collectors
In my previous post on Kansa's automated analysis, I mentioned there was another improvement I made to the framework that I would cover in a future post. I thought at that time, ...
trustedsignal -- blog
Kansa: Automating Analysis

Kansa: Automating Analysis

| | analysis, automated analysis, Automation, Kansa
Kansa, the PowerShell based incident response framework, was written from the start to automate acquisition of data from thousands of hosts, but a mountain of collected data is not worth bits without analysis, ...
trustedsignal -- blog
Kansa: Get-LogUserAssist.ps1

Kansa: Get-LogUserAssist.ps1

| | Kansa, Registry, UserAssist
Tonight I pushed the latest collector to Kansa, Get-LogUserAssist.ps1. This is probably the most complicated collector I've written for Kansa. It has several moving parts and there were some obstacles to overcome.As with ...
trustedsignal -- blog

Kansa: Powershell profiles potentially hazardous

| | aseps, Kansa, powershell, powershell profiles
On the very day I published my previous post, Kansa: Collecting WMI Event Consumer backdoors, Mark Russinovich announced the release of a new version of Autoruns that collects WMI related ASEPs. I ...
trustedsignal -- blog
Kansa: Collecting WMI Event Consumer backdoors

Kansa: Collecting WMI Event Consumer backdoors

| | aseps, backdoor, Kansa, WMI Event Consumer
In my previous post, Kansa: Service related collectors and analysis, I discussed the Windows Service related collectors and analysis capabilities in Kansa and noted that some of the collected data is not ...
trustedsignal -- blog
Kansa: Service related collectors and analysis

Kansa: Service related collectors and analysis

| | aseps, autoruns, DFIR, Failures, frequency analysis, Kansa, services, stack ranking, stacking, triggers
In my previous post on Kansa's Autoruns collectors and analysis scripts, I mentioned that the Get-Aurounsc.ps1 collector relies on Sysinternals' Autorunsc.exe to collect data on all of the Autostart Extension Points (ASEPs) that ...
trustedsignal -- blog
Kansa: Autoruns data and analysis

Kansa: Autoruns data and analysis

| | aseps, autoruns, DFIR, Kansa
I want your input.With the "Trailer Park" release of Kansa marking a milestone for the core framework, I'm turning my focus to analysis scripts for data collected by the current set of modules. As of ...
trustedsignal -- blog
Load more