Technical Library on Alfred van Ster

SecOps: SentinelOne Global Threat Scraper

Sat, 10 Jan 2026 11:00:00 +0000

When a new 0-day vulnerability or a suspicious file hash is identified, waiting for a scheduled scan is not an option. This PowerShell tool utilizes the SentinelOne Management API to “scrape” the entire fleet for specific indicators of compromise (IOCs).

1. The Workflow

The script performs the following steps:

Authentication: Connects via API Token to the S1 Management Console.
Query: Requests a list of all endpoints where a specific file hash or process has been detected in the last 24 hours.
Reporting: Generates a CSV list of infected Hostnames, IP addresses, and the “Detection State” (Mitigated vs. Active).

2. The Implementation

# S1 API Configuration
$ApiToken = "YOUR_API_TOKEN"
$BaseUrl = "[https://your-console.sentinelone.net/web/api/v2.1](https://your-console.sentinelone.net/web/api/v2.1)"
$Header = @{ "Authorization" = "Token $ApiToken" }

# Define the Threat Hash to hunt for
$TargetHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

# Search for the hash across the site
$Response = Invoke-RestMethod -Uri "$BaseUrl/threats?contentHashes=$TargetHash" -Method Get -Headers $Header

if ($Response.data) {
 Write-Host "ALERT: Threat detected on $($Response.data.count) endpoints!" -ForegroundColor Red
 $Response.data | Select-Object computerName, lastActiveDate, threatName | Export-Csv -Path "./ThreatReport.csv"
} else {
 Write-Host "Clear: No matches found for the target hash." -ForegroundColor Green
}

AD Automation: Inactive Account Reaper

Sat, 03 Jan 2026 09:00:00 +0000

Stale accounts are a primary vector for lateral movement in a compromised network. This script automates the “Sanitization” phase of identity management by identifying and disabling dormant accounts.

1. The Logic Flow

The script follows a safe-failure logic to ensure no critical service accounts are accidentally disabled:

Targeting: Narrowly scopes the search to specific User OUs.
Evaluation: Filters for LastLogonDate older than 90 days.
Action: Disables the account and logs the event for auditing.

2. The Implementation

# Configuration
$DaysInactive = -90
$TargetDate = (Get-Date).AddDays($DaysInactive)
$LogPath = "C:\Logs\AD_Cleanup_$(Get-Date -Format 'yyyyMMdd').log"

# Fetch and Process
Get-ADUser -Filter 'LastLogonDate -lt $TargetDate -and Enabled -eq $true' -Properties LastLogonDate |
 ForEach-Object {
 $User = $_.SamAccountName
 try {
 # Use -WhatIf for safety during testing
 Disable-ADAccount -Identity $_.DistinguishedName -ErrorAction Stop
 Add-Content -Path $LogPath -Value "SUCCESS: Disabled $User (Last Login: $($_.LastLogonDate))"
 } catch {
 Add-Content -Path $LogPath -Value "ERROR: Failed to disable $User. Check permissions."
 }
 }

AD User Cleanup Script

Sat, 03 Jan 2026 00:00:00 +0000

A PowerShell script to identify and disable inactive AD users.