Skip to content

A semi-automated tool set for Windows live forensics and endpoint security interventions

License

Notifications You must be signed in to change notification settings

mwhatter/OpenPhalanX

Repository files navigation

OpenPhalanX: No one stands alone

OpenPhalanX is a comprehensive toolkit designed to secure remote systems. Whether you're an IT professional seeking to automate system tasks, or a cybersecurity specialist handling incident response, OpenPhalanX offers an array of features to streamline your operations. This project is primarily written in PowerShell and I believe this is possibly the most beginner friendly language to work with. I hope it helps everyone feel comfortable digging into the code to understand how it works and how you might modify it to fit any of your needs.

Table of Contents

Installation

To install OpenPhalanX on a Windows host, you will need to execute a PowerShell script called "Deploy_Phalanx_Formation.ps1". Follow the steps below to install using Visual Studio Code (VSCode):

  1. Clone the OpenPhalanX repository from GitHub to your local machine.

  2. Open Visual Studio Code.

  3. Navigate to the OpenPhalanX project directory using the File Explorer in VSCode.

  4. Locate the script "Deploy_Phalanx_Formation.ps1" using the File Explorer and click on it to open.

  5. With "Deploy_Phalanx_Formation.ps1" open in the editor, go to the Terminal menu and select "Run Active File". This will execute the installation script in the Terminal window.

    You will need the requisite permissions within AD to force a password reset, disable, or enable an account. You also need to have admin rights and powershell remoting must be enabled on the remote host.

    You will also need the ActiveDirectory powershell module. This module is part of RSAT and can be enabled by follow the instructions here - https://learn.microsoft.com/en-US/troubleshoot/windows-server/system-management-components/remote-server-administration-tools

API Keys Configuration

OpenPhalanX utilizes several APIs to facilitate its operations, each of which require API keys. These keys should be added to the locations specified in the API_Keys&Extensions.txt file.

This repository has a directory titled "Integrations" which contains additional file submission python helpers and button click code. I do not have an api key for all of these integrations and the code you select may not have been tested.

Comment out any api queries you want to exclude from the prompts for Get Intel and Sandbox URL/Retrieve Report. Add any api's you wish to query as needed(email mwhatter@openphalanx for assistance).

File submissions to sandboxes should be done with reverence to the potentially sensitive data within the sample being detonated. The default file sandbox integration with OpenPhalanX is Anomali's API with specification to use their integration with VMRay. I highly recommend using either a private account with one of the provided integration examples or standing up a private instance of Cuckoo.

You are responsible for complying with any API provider's usage requirements for your situation.

Features

OpenPhalanX offers an array of features designed to facilitate remote system management, monitoring, and security.

For a comprehensive list of features, please refer to the "?" button within Defending_Off_the_Land.ps1.

For tooltips, hover over each button.

Usage

After installation, you can run the Defending_Off_the_Land.ps1 script through VSCode. Here's how you can do this:

  1. Open Visual Studio Code.

  2. Navigate to the OpenPhalanX project directory using the File Explorer in VSCode.

  3. Locate the script "Defending_Off_the_Land.ps1" using the File Explorer and click on it to open.

  4. With "Defending_Off_the_Land.ps1" open in the editor, go to the Terminal menu and select "Run Active File". This will execute the script in the Terminal window.

Follow the instructions provided within the script for each feature.

Example workflow: Enter remote computer name; run RapidTriage; run WinEventalyzer; run Intelligazer; investigate indicators; run ProcAsso; investigate execution chain.

Resources

This project integrates or is inspired by a number of other projects and resources. Here are some that may help you better understand the mechanics, provide further insight or could be useful for other related purposes:

Core Components & Tools

Command Analysis

Process Analysis

Service Analysis

Tasks Analysis

WMI Analysis

General Persistence

Prefetch and Execution Analysis

PowerShell History Analysis

Network Traffic Analysis

Network Share Analysis

Browser History Analysis

File Analysis

USN Journal Analysis

Magic Number Analysis

General Resources

Contribute

Contributions are always welcome! If you're interested in enhancing OpenPhalanX, please see our contributing guidelines.

Special thanks to creators of other projects that help make OpenPhalanX what it is:

Contact

For any questions, feedback, or suggestions, please reach out to mwhatter@openphalanx.com.

License

OpenPhalanX is licensed under GPL-3.0 License. Refer to the LICENSE file for more details.

About

A semi-automated tool set for Windows live forensics and endpoint security interventions

Resources

License

Stars

Watchers

Forks

Contributors 4

  •  
  •  
  •  
  •