Gathering Data Incident Response Logs are great But
Gathering Data Incident Response
Logs are great… • But often we’ll need additional data • Can’t go out to every machine and manually acquire this information • Not always tools to do it for us • Scripting can be our friend Especially Power. Shell Incident Response More forensic information we can gather Some attack types aren’t always picked up by logs 2
• Why might each of these be useful? • ARP Cache • DNS Cache • Members of the Local Admins group • List of patches/hotfixes applied to a system • List of software on a system Incident Response Some other types of data 3
• IA Lab • <username>_IR_Workshop_Kansa • This is a different vapp than what we used yesterday • 2 Windows servers (Domain configured) • 1 Windows 10 Client Incident Response Demo/Lab 4
WMIC • Command-line tool that allows us to interact with WMI • Great way to collect data from a computer • Can even collect from multiple computers • wmic product get description, name, vendor Incident Response Windows Management Instrumentation Command 5
Kansa • Power. Shell incident response framework • Dave Hull • https: //github. com/davehull/Kansa • Collects data from multiple hosts in an environment • Requires Power. Shell 3. 0 • Run as Administrator • Uses Windows Remote Management to connect to remote systems (winrm) Incident Response Many different modules to collect different types of data Processes, network connections, system configurations, etc. 6
- Slides: 6