ARTHIR: ATT&CK Remote Threat Hunting Incident Response
ATT&CK Remote Threat Hunting Incident Response
ATT&CK Remote Threat Hunting Incident Response (ARTHIR) is an update to the popular KANSA framework. ARTHIR works differently than KANSA in that you can create output with your ARTHIR module and then the results are pulled back to the launching host. KANSA only pulled console output back which limited its capabilities. KANSA was unable to execute binary utilities and tools such as LOGMD remotely and pull reports back. ARTHIR can run scripts as KANSA does, but also binary utilities and tools, making ARTHIR much more flexible than KANSA.
KANSA is a modular incident response framework in Powershell to remotely run various PowerShell commands on a remote system to investigate a suspect system. The KANSA project is no longer maintained by the creator Dave Hull, but is still used and updated by some users.
ARTHIR was created to provide a solution that can push out, run, and pull back LOG-MD-Pro reports, (or any other tool, script or binary you might like to use) while doing investigations.
Templates have been provided for scripts, binary utilities and tools, tasks, and Zip archives so that you may use it and create your own solutions.
ARTHIR provides a modular approach that allows users to run existing PowerShell modules included with ARTHIR, create their own, or as in our case push, run, and retrieve LOG-MD-Pro and retrieve the reports. The modular nature of ARTHIR allows you to run a single module (aka PowerShell script), push and run a binary, execute one or many modules using the modules.conf file. For our purposes modifications to the core KANSA script was required and the changes extensive. We have provided modules that allow you to run all the features of LOG-MD-Pro and retrieve the results.
git clone https://github.com/MalwareArchaeology/ARTHIR.git
Copyright (C) 2019 MalwareArchaeology