OpenPhalanX is a comprehensive toolkit designed to secure remote systems. Whether you're an IT professional seeking to automate system tasks, or a cybersecurity specialist handling incident response, OpenPhalanX offers an array of features to streamline your operations. This project is primarily written in PowerShell and I believe this is possibly the most beginner friendly language to work with. I hope it helps everyone feel comfortable digging into the code to understand how it works and how you might modify it to fit any of your needs.

• Installation

• API Keys Configuration

• Features

• Usage

• Resources

  • Core Components & Tools
  • Command Analysis
  • Process Analysis
  • Service Analysis
  • Tasks Analysis
  • WMI Analysis
  • General Persistence
  • Prefetch and Execution Analysis
  • PowerShell History Analysis
  • Network Traffic Analysis
  • Network Share Analysis
  • Browser History Analysis
  • File Analysis
  • USN Journal Analysis
  • Magic Number Analysis
  • General Resources

• Contribute

• Contact

• License

To install OpenPhalanX on a Windows host, you will need to execute a PowerShell script called "Deploy_Phalanx_Formation.ps1". Follow the steps below to install using Visual Studio Code (VSCode):

1. Clone the OpenPhalanX repository from GitHub to your local machine.

2. Open Visual Studio Code.

3. Navigate to the OpenPhalanX project directory using the File Explorer in VSCode.

4. Locate the script "Deploy_Phalanx_Formation.ps1" using the File Explorer and click on it to open.

5. With "Deploy_Phalanx_Formation.ps1" open in the editor, go to the Terminal menu and select "Run Active File". This will execute the installation script in the Terminal window.

   You will need the requisite permissions within AD to force a password reset, disable, or enable an account. You also need to have admin rights and powershell remoting must be enabled on the remote host.

   You will also need the ActiveDirectory powershell module. This module is part of RSAT and can be enabled by follow the instructions here - https://learn.microsoft.com/en-US/troubleshoot/windows-server/system-management-components/remote-server-administration-tools

OpenPhalanX utilizes several APIs to facilitate its operations, each of which require API keys. These keys should be added to the locations specified in the API_Keys&Extensions.txt file.

This repository has a directory titled "Integrations" which contains additional file submission python helpers and button click code. I do not have an api key for all of these integrations and the code you select may not have been tested.

Comment out any api queries you want to exclude from the prompts for Get Intel and Sandbox URL/Retrieve Report. Add any api's you wish to query as needed(email mwhatter@openphalanx for assistance).

File submissions to sandboxes should be done with reverence to the potentially sensitive data within the sample being detonated. The default file sandbox integration with OpenPhalanX is Anomali's API with specification to use their integration with VMRay. I highly recommend using either a private account with one of the provided integration examples or standing up a private instance of Cuckoo.

You are responsible for complying with any API provider's usage requirements for your situation.

OpenPhalanX offers an array of features designed to facilitate remote system management, monitoring, and security.

For a comprehensive list of features, please refer to the "?" button within Defending_Off_the_Land.ps1.

For tooltips, hover over each button.

After installation, you can run the Defending_Off_the_Land.ps1 script through VSCode. Here's how you can do this:

1. Open Visual Studio Code.

2. Navigate to the OpenPhalanX project directory using the File Explorer in VSCode.

3. Locate the script "Defending_Off_the_Land.ps1" using the File Explorer and click on it to open.

4. With "Defending_Off_the_Land.ps1" open in the editor, go to the Terminal menu and select "Run Active File". This will execute the script in the Terminal window.

Follow the instructions provided within the script for each feature.

Example workflow: Enter remote computer name; run RapidTriage; run WinEventalyzer; run Intelligazer; investigate indicators; run ProcAsso; investigate execution chain.

This project integrates or is inspired by a number of other projects and resources. Here are some that may help you better understand the mechanics, provide further insight or could be useful for other related purposes:

• OpenPhalanX Repository
• Visual Studio Code
• Python Official Site
• Olaf Hartong's Sysmon configuration
• DeepBlueCLI
• Hayabusa

• Command Analysis Datasource
• Command Line Analysis

• Process Analysis Datasource
• Windows Processes Memory Forensics

• Service Analysis Datasource
• Windows Services Analysis
• Finding Hidden Windows Services

• Tasks Analysis Datasource
• Behavior Analysis Task Scheduler
• Scheduled Task Analysis

• WMI Analysis Datasource
• WMI Forensics Writeup

• Persistence Cheatsheet

• TrustedSec Prefetch Blog
• Prefetch Forensics
• Windows Forensics Execution

• PowerShell Command History Forensics

• Network Traffic Analysis Datasource
• Network Traffic Analysis for IR Connection Analysis

• Network Share Analysis Datasource

• Browser Artifacts Forensics

• File Analysis Datasource
• Metadata Forensics

• USN Journal Extraction for Efficient Investigation
• Advanced USN Journal Forensics

• What is Magic Number
• Core of Digital Forensics - Magic Numbers
• MagnumDB

• Everything Cheatsheet
• Defensive TTP Map

Contributions are always welcome! If you're interested in enhancing OpenPhalanX, please see our contributing guidelines.

Special thanks to creators of other projects that help make OpenPhalanX what it is:

• Eric Zimmerman
• Yamato Security
• Eric Conrad

For any questions, feedback, or suggestions, please reach out to [email protected].

OpenPhalanX is licensed under GPL-3.0 License. Refer to the LICENSE file for more details.