Kansa: A PowerShell-based incident response framework This article is not endorsed by Microsoft. DisclaimerĪt this point, I should provide the following disclaimer: This article is solely representative of the views and opinions of the author, Dave Hull, and is not intended to state or reflect those of Microsoft Corporation, the author’s employer. ![]() Readers of PowerShell Magazine understand that PowerShell can provide much of this capability for Windows systems. ![]() Investigators may need to gather data from many or even all machines within a given domain or other security boundary to look for indicators of compromise or anomalous activity. In the early going, the investigative focus may be narrow - the known victim machine, but the scope often quickly expands. How did the account get there? How long has it been there? What has it been used for and by whom? ![]() Maybe the incident started because someone noticed an account added to the domain administrators group. ![]() In many enterprises, computer security incident response (IR) teams exist to respond to these threats and these teams nearly always spring into action with very limited knowledge about the incidents they are investigating. If you follow information security, you know that information systems are constantly under attack and often fall victim to adversaries looking to make a quick buck, gain competitive advantage through theft of intellectual property or embarrass a target that they find politically or ideologically offensive.
0 Comments
Leave a Reply. |