ARTHIR

ATT&CK Remote Threat Hunting Incident Response (ARTHIR) A modular incident response framework in PowerShell that utilizes Windows Remote Management (WinrRM) capabilities. It works with Windows PowerShell v2 thru v5 and WIndows 10 PowerShell v5 and all equivalent server versions. You must use the appropriate cmdlet, function, or script that are compatible with the installed version of PowerShell on the remote host, or use the older format of the functions to work with all versions of PowerShell. Another goal of the project is to map your ARTHIR modules to the ATT&CK framework to help you create a way to respond and hunt based on the techniques in the MITRE ATT&CK framework.

ARTHIR is a fork of the Kansa project by Dave Hull that has not had much movement or updates in the past couple of years and can be found on GitHub here:

• https://github.com/davehull/Kansa

ARTHIR is a change and improvement to the original Kansa project that allows for non-PowerShell modules to be used that produce file output, not just PowerShell console output.

ARTHIR is being released openly so that others may use it to remotely execute PowerShell scripts or now binaries, tools, utilities or other scripts remotely on a system and be able to pull the actual output back to launching host like LOG-MD results and other utilities have with .CSV and .TXT files.

Use for Incident Response and Investigations

ARTHIR is intended as an Incident Response and Investigation tool. ARTHIR with the scheduled task modules can also be used to configure a task to run regularly, such as LOG-MD Autoruns. ARTHIR can also be used to hunt for various artifacts or Indicators of Compromise (IOCs) as you can write PowerShell scripts to look for a file, folder, registry key, IP address in a log, or whatever you can come up with. ARTHIR can also be used a remote configuration tool by Help Desk, IT, and Security professionals.

Changes over the original Kansa

You will need to direct all output of your scripts to a file that you then specify in the DOWNLOAD Directive the name(s) you want to pull back. Wildcards are supported.

The DOWNLOAD Directive

The new download directive allows you to run any utility remotely and pull back the output the utility, script, or tool that is created. This was not the case with the original Kansa.

Time the module takes to run

The start time and end time of the modules are now displayed on the launching host so that you can know how long something took to run for better planning in the future

Console output

You will need to redirect all output of the original Kansa modules to a file rather than the console, by either Write-Output or Export-CSV then specify the file name(s) to be retrieved by the DOWNLOAD Directive. Examples of redirecting older Kansa modules to output to a file with or without variables:

• | output-csv -path $OutputDir

• | output-csv -path $C:\Temp\My_Report.txt

• | format-table -AutoSize -Wrap | out-file -filepath $logmdOutputDir\Report_PS_LOG-MD-API-Settings.txt

• | out-file -filepath $OutputDir\Report_PS_LOG-MD-API-Settings.txt

LOG-MD-Professional modules

As a part of the LOG-MD-Pro purchase, all LOG-MD-Pro ARTHIR modules will be provided as a part of the software and not posted publicly.

LOG-MD-Free Edition modules

A couple LOG-MD-Free Edition ARTHIR modules are listed below for your use and as an example of what can now be done, and to use as a template for other utilities you might want to run remotely.

Limitations

Original Kansa modules work, but need output to file added

The original Kansa modules from the above Github will work with ARTHIR, but will need to have a simple output added to capture the command to a file and the DOWNLOAD Directive added to retrieve the output. See above for output examples, and below for a template and examples with LOG-MD Free Edition ARTHIR modules.

File size that you can push to a remote host

WinRM has a max size of files that you can push to a remote host of 52MB so you must zip up or archive large files or split them up to get them to a remote host. See item below for archive expansion note.

PowerShell cmdlet, function, or scripts

must match your version of PowerShell running on the remote system or they will fail to work. Two examples we came across with LOG-MD module effort are:

• Expand-Archive - Only works in Win 8 and later PowerShell version 4 & 5. You must use the older method of extracting zip files if you want them to be compatible with all versions of Windows and the PowerShell version on them

• Get-ScheduledTasks - Only works in Win 8 and later PowerShell version 4 & 5. You must use the older method of extracting zip files if you want them to be compatible with all versions of Windows and the PowerShell version on them

ARTHIR Main Package

Below is where you will find the main ARTHIR PowerShell script with required directories and the original Kansa modules. Start with this and add what we provide below.

• ARTHIR main package available on Github

LOG-MD Free ARTHIR Edition Modules

1. Get-LOG-MD-Autoruns.ps1 - Will launch “LOG-MD -ar” and retrieve the results

2. Get-LOG-MD-Daily-Logs.ps1 - Will launch “LOG-MD -1” and retrieve the results

3. A template - This can be used for any modules you would like to create or convert the older Kansa modules with.

LOG-MD-Professional Modules

The following is provided to all subscribers of LOG-MD-Professional:

1. The ARTHIR User Guide - How to setup, test and use WinRM and ARTHIR

2. A template - This can be used for any modules you would like to create or convert the older Kansa modules with.

3. LOG-MD-Pro Scheduled Task modules

• Schedule several LOG-MD-Pro features to run hourly or daily

• Output from these can be collected by a logging solution such as Humio , Splunk, Elk, etc. and used as a detection and hunting solution

1. LOG-MD-Pro ARTHIR modules

• Get-LOG-MD-API-Settings.ps1

• Get-LOG-MD-Pro_1_Configs.ps1

• Get-LOG-MD-Pro_2_Configs_Registry.ps1

• Get-LOG-MD-Pro_3_Configs_Hash.ps1

• Get-Log-MD-Pro_Audit_Log_Cfg.ps1

• Get-Log-MD-Pro_AutoRuns.ps1

• Get-Log-MD-Pro_AutoRuns_VirusTotal.ps1

• Get-Log-MD-Pro_AutoRuns_WMI.ps1

• Get-Log-MD-Pro_Hash_Baseline.ps1

• Get-Log-MD-Pro_Hash_Compare.ps1

• Get-Log-MD-Pro_Logs_1_Day.ps1

• Get-Log-MD-Pro_Logs_1_Day_WhoIS.ps1

• Get-Log-MD-Pro_Logs_2_Days.ps1

• Get-Log-MD-Pro_Logs_2_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_3_Days.ps1

• Get-Log-MD-Pro_Logs_3_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_4_Days.ps1

• Get-Log-MD-Pro_Logs_4_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_5_Days.ps1

• Get-Log-MD-Pro_Logs_5_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_6_Days.ps1

• Get-Log-MD-Pro_Logs_6_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_7_Days.ps1

• Get-Log-MD-Pro_Logs_7_Days_WhoIS.ps1

• Get-Log-MD-Pro_Logs_99_Days.ps1

• Get-Log-MD-Pro_Logs_99_Days_WhoIS.ps1

• Get-Log-MD-Pro_PS_Logs_1_Day.ps1

• Get-Log-MD-Pro_PS_Logs_2_Days.ps1

• Get-Log-MD-Pro_PS_Logs_3_Days.ps1

• Get-Log-MD-Pro_PS_Logs_4_Days.ps1

• Get-Log-MD-Pro_PS_Logs_5_Days.ps1

• Get-Log-MD-Pro_PS_Logs_6_Days.ps1

• Get-Log-MD-Pro_PS_Logs_7_Days.ps1

• Get-Log-MD-Pro_PS_Logs_99_Days.ps1

• Get-Log-MD-Pro_Reg_Baseline.ps1

• Get-Log-MD-Pro_Reg_Compare.ps1

• Get-Log-MD-Pro_Reg_Large_Keys.ps1

• Get-Log-MD-Pro_Running_Processes.ps1

• Get-Log-MD-Pro_Running_Processes_VirusTotal.ps1

• Get-Log-MD-Pro_SRUM.ps1

• Get-Log-MD-Pro_z_Cleanup_All.ps1

• Get-Log-MD-Pro_z_Cleanup_Reports.ps1

• Get-Name_OS.ps1

REFERENCES

The following are references to several Kansa related articles

• Dave Hull original Kansa Github project

• TrustedSignal Blog on Kansa

• 2014 article by Dave Hull on Kansa

• 2016 SANS Reading Room paper on Kansa

• 2017 article on Kansa

• 2018 article on Kansa

• Dave Hull slidedeck on Kansa

• Dave Hull Talk on Kansa from SecKC