Releases: davehull/Kansa
Stafford
Full changelog since previous release:
Quick hits:
Kansa.ps1 has several new command line parameters, including:
- -OutputFormat, an optional parameter that takes an argument that specifies the format of collected output. Valid values are CSV, JSON, TSV and XML (yuck).
- -UseSSL, if present, this will be passed to the New-PSSession call and remote sessions will use Secure Sockets Layer. Note this does require that you've installed appropriate certificates.
- -Port, an optional parameter that takes a port number. Use this when WinRM is configured to listen on a non-standard port.
- -Authentication, an optional parameter that takes an argument that specifies what authentication mechanism should be used. Kerberos is still the default, but all WinRM authentication mechanisms are now supported. You can even do risky things like Basic or CredSSP, but I wouldn't recommend it.
- -JSONDepth, an optional parameter that takes an integer argument specifying the level of depth for object serialization to JSON.
A note on OutputFormat:
The -OutpufFormat parameter above is a big change. Previously Kansa.ps1 would parse the SYNOPSIS section looking for an "OUTPUT" directive and save the data for that collector accordingly. This is no longer the case. Now when you run Kansa.ps1 all collected data will be returned in the same format with CSV as the default. You might be wondering how things like binary files are returned as CSV. In this version of Kansa, those binary files are serialized and saved as an object property. You will have to deserialize them using Analysis\Deserialize-KansaField.ps1 in order to analyze those binary files. This is a major change.
I'll have a blog post coming with more details on these changes and why they were made over at http://trustedsignal.blogspot.com, hint: you can now run Kansa against non-domain joined assets, including VMs in Azure. I'll update the release notes with the full URL once the post is published.
Rule
Full Changelog since previous release
Quick hits:
z4ns4tsu added some code to remove jobs, reducing memory footprint.
Based on a blog post z4ns4tsu forwarded to me, I replaced all foreach() statements with Foreach-Object logic in Kansa.ps1, which further reduces the memory footprint of Kansa.ps1. These changes are also being pushed to most collector modules, there is a tradeoff here for speed, but in my limited testing, the impact was minimal.
Details on the blog post here:
http://poshoholic.com/2007/08/21/essential-powershell-understanding-foreach/
Ward
Full Changelog since previous release
Quick hits:
New collector for known hashes, scans provided path looking for hash matches. On newer Powershell versions it uses workflows, for high parallelism. Contributed by @z4ns4tsu.
Some bug fixes including one for dealing with long paths that was preventing data from being written in some situations.
Updates to Analysis scripts fixing a bug that was suppressing header row output for many analysis scripts.
Hodson
Kansa: Hodson release
Big new feature is that collectors can take multiple arguments, here's an example:
.\kansa.ps1 -ModulePath ".\Modules\Disk\Get-FilesByHash.ps1 BF93A2F9901E9B3DFCA8A7982F4A9868,MD5,C:\Windows\System32,\.exe$" -Verbose -target localhost
Blog post here with more details:
http://trustedsignal.blogspot.com/2014/07/kansa-passing-arguments-to-collector.html
Complete list of updates since previous release:
Madison
Kansa: Madison Release
Kansa collector modules (collectors) can now take command line arguments wither via the Modules\Modules.conf file or via the command line. This allowed me to consolidate a dozen or so collector scripts into a single collector that accepts different command line arguments.
Complete details on changes since previous release are here:
v0.8433-beta...master
Spruce
Spruce: the automated analysis release
Major new feature is the -Analysis switch that kicks off analysis scripts once data collection is complete
Complete list of changes since previous release:
v0.8432-beta...master
Hillside
Differences between this release and Mt. Vernon are found here:
v0.8431-beta...master
Mt Vernon
89 commits since the previous release, too many to list here. See v0.843-beta...master for details.
Highlights
- Specify a single module by providing the full path to the module as the argument to -ModulePath
- Added a Get-File.ps1 collector for acquiring specific files
- Added -ThrottleLimit argument to support more or less parallelism
- Added a collector for common temporary directory listings
- Modified all analysis scripts to stop paginating their output
- Get-ProcsWMI.ps1 now pulls the MD5 hash of the image on disk associated with running processes
- Get-DNSCache.ps1 now returns matching objects for ipconfig /displaydns and Get-DNSClientCache
- Added Get-LogUserAssist.ps1 for collecting UserAssist data
- Added numerous analysis scripts
- Added -Credential support for copying third-party binaries to remote hosts
Chautauqua
Restructured module paths into categories. Added quite a few new collectors too.
Erie
This release marks a milestone with Get-Flsbodyfile.ps1's ability to push a .zip file to remote hosts, extract them and run the packaged executable to collect fls bodyfile data from remote hosts.
It's not a fast process. Taking almost two hours for me to generate bodyfiles from three remote hosts, one of which has a nearly full 500GiB disk. YMMV. Module is not on in modules.conf by default, probably best for targeted collection.