Two More Days to Get a $400 Amazon Gift Card with qualifying OnDemand course purchase! Don't Miss Out!

Baltimore Spring 2017

Baltimore, MD | Mon, Apr 24 - Sat, Apr 29, 2017
This event is over,
but there are more training opportunities.

Real World Enterprise Incident Response w/ Kansa

  • Robert Adams, Master's Degree Candidate
  • Tuesday, April 25th, 8:15pm - 8:55pm

Thanks to its nearly universal availability and tools like Empire and PowerSploit, attackers are increasingly adopting PowerShell to move around corporate networks; shouldn't your defenders have tools to help them leverage the same benefits when hunting them?

Kansa is an open-source incident response framework, written in PowerShell, designed to empower blue teamers to expedite response efforts. The framework provides a platform to collect forensic data from multiple machines across your environment in parallel and the included modules cover many of the most common artifacts left behind by initial compromise, lateral movement, persistence, staging, and exfiltration. It is also infinitely customizable and extensible to meet the needs of a specific investigation since the entire tool is open source and written in PowerShell. This talk will touch on the basic architecture of Kansa, then dive into specific case studies detailing its use in both workstation and datacenter environments.

Speaker Bio: Robert is a Security Analyst at Microsoft. He is extraordinarily passionate about automation, and loves tackling complex problems with a variety of tools, including PowerShell. Robert's career was jump-started in 2006 when he joined the Navy as a Cryptologic Technician. Robert is a Master's Degree candidate in SANS Technology Institute's Information Security Engineering program. He holds a number of industry certifications, including the CISSP, GSEC, GCIA, GCIH, and GPEN.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Monday, April 24
Session Speaker Time Type
General Session - Welcome to SANS Bryan Simon Monday, April 24th, 8:00am - 8:30am Special Events
Exploitation 101: Stacks, NX/DEP, ASLR and ROP! David Hoelzer Monday, April 24th, 7:15pm - 9:15pm Keynote
Tuesday, April 25
Session Speaker Time Type
Steganography - The Hidden Threat Kevin Fiscus Tuesday, April 25th, 7:15pm - 8:15pm SANS@Night
Security Configuration at Scale - An Introduction to Ansilble Patrick Neise, Master's Degree Candidate Tuesday, April 25th, 7:15pm - 7:55pm Master's Degree Presentation
Real World Enterprise Incident Response w/ Kansa Robert Adams, Master's Degree Candidate Tuesday, April 25th, 8:15pm - 8:55pm Master's Degree Presentation
Wednesday, April 26
Session Speaker Time Type
(Am)Cache Rules Everything Around Me Eric Zimmerman Wednesday, April 26th, 7:15pm - 8:15pm SANS@Night
Securing the Enterprise with Cyber Threat Hunting Michael C. Long, Master's Degree Candidate Wednesday, April 26th, 8:15pm - 8:55pm Master's Degree Presentation
Thursday, April 27
Session Speaker Time Type
The Node Situation Moses Hernandez Thursday, April 27th, 7:15pm - 8:15pm SANS@Night