Kansa is a pretty awesome Powershell-based Threathunting tool. Being that it's written in Powershell, you'd think that would relegate you to a Windows environment. That's where you'd be wrong, kiddo *finger guns*. Newer versions of Powershell now have SSH mechanisms. There's Posh-SSH, the SSH Subsystem in Powershell Core, as well as at least one commercial version that I've seen. What if you're stuck in older versions of Powershell?
Well, there's PLink; a.k.a. PuTTy Link. You may be familiar with PuTTy as an SSH client for conducting interactive sessions with remote *Nix systems. PLink is part of the PuTTy suite used for task automation. So, in a similar fashion where Kansa establishes a remote PSSession and collects the data, you can do the same with PLink.
Below is a sample Cmdlet for collecting Linux Process information. Prior to running the scripts, you build a credential object
Then pass it in as a parameter to the -Credentials argument
Instead of cleaning up the data in Powershell once it's returned by PLink, I format the Linux command to return the data in CSV format since it's Powershell can handle CSV data. This may not seem like a big deal, but distribution that computing power when you're running this through Kansa against hundreds or even thousands of hosts, it'll be a significant impact on runtime.
Once the data is received, we pass it to ConvertFrom-CSV, store those results, and append the collection timestamp along with the hostname.
USER : root
PPID : 1
PID : 3108
ELAPSED : 82-08:36:38
COMMAND : /usr/sbin/vmtoolsd
TIMESTAMP : 6/3/2018 7:50:30 AM
COMPUTERNAME : ubuntutestbox
USER : root
PPID : 1
PID : 5222
ELAPSED : 82-08:36:38
COMMAND : /usr/sbin/sshd
TIMESTAMP : 6/3/2018 7:50:30 AM
COMPUTERNAME : ubuntutestbox
That's it! All it takes it building out the bash syntax to suck out the data you want.
