forked from davehull/Kansa
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathToDo
30 lines (25 loc) · 1.26 KB
/
ToDo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Kansa core:
Add a -Target argument that takes a single host as its target
Modules:
Can non-log related GUIDs be resolved to human readable values for Get-SvcTrigs.ps1
Browser cache/history collector
Update the old Get-DNSCache method using ipconfig /displaydns to mimic Get-DNSClientCache output <- this is not easy, but in progress
Collector for common temp directory listings
NTUser.dat->Environment->TMP and NTUser.dat->Environment->Temp define user temp directories
Get rid of xml output wherever possible
Get-Sigcheck -- multiple things to look for here
Get-File -- a module to acquire arbitrary files
Analysis:
Get-ProcessByAge.ps1
Get-ProcessStack.ps1
Get-NetstatProcessStack.ps1
AM-HealthStatus query
AM-Infectionstatus query
CBSlog query
Registry notes (keys of interest):
\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Items below added while working offline with no network access, open them as issues when back online
Kansa Modules: rammap as a collector
Need Aaron Margosis' book on Sysinternals tools to figure out how to make sense of the data and exactly what rammap does
Kansa Modules: Investigate possibility of putting command line arguments for modules in the modules.conf file