Kansa: a powershell incident response framework

Automated acquisition of data from thousands of hosts with Powershell!

Kansa is a powershell framework designed by Dave Hull to support massive data collections.
It permits to easily scaling to thousands of systems via powershell remoting, but is not confined only to powershell: it can exec virtually anything.

What does it do?

It uses Powershell Remoting to run user contributed, ahem, user contri-
buted modules across hosts in an enterprise to collect data for use
during incident response, breach hunts, or for building an environmental


Simply download latest build from github, unzip it, and “unblock” the ps1 files.
The easiest way to do this if you’re using Powershell v3 or later is to cd to the directory where Kansa resides and do:

ls -r *.ps1 | Unblock-File

Ensure that you check your execution policies with PowerShell:

Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestriced

Usage example

Open an elevated Powershell Prompt (Right-click Run As Administrator)

At the command prompt, enter:

.kansa.ps1 -Target $env:COMPUTERNAME -ModulePath .Modules -Verbose

The script should start collecting data or you may see an error aboutnot having Windows Remote Management enabled.

When it finishes running, you’ll have a new Output_timestamp subdirectory, with subdirectories for data collected by each module.





This site uses Akismet to reduce spam. Learn how your comment data is processed.