Incident Response

Using Kansa Framework to detect and respond to Incident of Compromise$($ IOC$)$

Using VM machine

Step$1$: start PowerShell$-$ in the search bar, type PowerShell, right click, and run it as admin, click yes

Step$2$: Change directory to Kansa

Step$3$: Change directory to Modules and

Step$4$: Exploring Kansa Modules

Q$1(20$p$)$: Using ASEP module $($cd to ASEP$),$

$-$ Display and list all services presents in the system

$-$ display and list all scheduled tasks in the system.

Q$2(10$p$)$: Using Config module $($cd to Config$),$

$-$ display and list the local admins in your VM$.$

Q$3(10$p$)$: Using Disk module $($cd to Disk$)$

$-$ display and list the template directories in your VM $($malware usually live here$).$

Q$4(10$p$)$: Using Log module $($cd to Log$)$

$-$ display and list the users accounts and the binary they executed in your VM

Step$5$: Run Kansa

You first need to cd back to Kansa directory, and we will use kansa.ps$1$

Running this command:

$-$ it will produce CSV files and they will be stored in a directory name start with output$\_$

Q$1(10$p$)$: Include your screenshots for CSV files here:

$-$ Using the Timeline Explorer tool, open one of the CSV files. Some CSV file will not open, look for the ones that can be opened and open one of them.

Q$2(5$p$)$: List CSV files here: