Security

When a new 0-day vulnerability or a suspicious file hash is identified, waiting for a scheduled scan is not an option. This PowerShell tool utilizes the SentinelOne Management API to “scrape” the entire fleet for specific indicators of compromise (IOCs). 1. The Workflow The script performs the following steps: Authentication: Connects via API Token to the S1 Management Console. Query: Requests a list of all endpoints where a specific file hash or process has been detected in the last 24 hours. Reporting: Generates a CSV list of infected Hostnames, IP addresses, and the “Detection State” (Mitigated vs. Active). 2. The Implementation # S1 API Configuration $ApiToken = "YOUR_API_TOKEN" $BaseUrl = "[https://your-console.sentinelone.net/web/api/v2.1](https://your-console.sentinelone.net/web/api/v2.1)" $Header = @{ "Authorization" = "Token $ApiToken" } # Define the Threat Hash to hunt for $TargetHash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" # Search for the hash across the site $Response = Invoke-RestMethod -Uri "$BaseUrl/threats?contentHashes=$TargetHash" -Method Get -Headers $Header if ($Response.data) { Write-Host "ALERT: Threat detected on $($Response.data.count) endpoints!" -ForegroundColor Red $Response.data | Select-Object computerName, lastActiveDate, threatName | Export-Csv -Path "./ThreatReport.csv" } else { Write-Host "Clear: No matches found for the target hash." -ForegroundColor Green }

In modern infrastructure, “Backup” is not a task—it is a foundational pillar of security. For an MSP managing hundreds of endpoints, a simple file-copy isn’t enough. Here is how I architect systems to survive ransomware and site-wide disasters. 1. The 3-2-1-1 Framework I advocate for an evolved version of the classic 3-2-1 rule, specifically designed for remote-first workforces: 3 Copies of Data: Primary, local secondary, and offsite tertiary. 2 Different Media: Utilizing localized NAS storage for fast LAN recovery and cloud-native repositories. 1 Offsite Location: Ensuring data is physically separated from the primary site. 1 Immutable Copy: Utilizing S3 Object Lock or Air-gapping to ensure backups cannot be deleted by compromised credentials. 2. The Infrastructure Stack My preferred approach utilizes a unified management plane to reduce “Shadow Data”: ...

Stale accounts are a primary vector for lateral movement in a compromised network. This script automates the “Sanitization” phase of identity management by identifying and disabling dormant accounts. 1. The Logic Flow The script follows a safe-failure logic to ensure no critical service accounts are accidentally disabled: Targeting: Narrowly scopes the search to specific User OUs. Evaluation: Filters for LastLogonDate older than 90 days. Action: Disables the account and logs the event for auditing. 2. The Implementation # Configuration $DaysInactive = -90 $TargetDate = (Get-Date).AddDays($DaysInactive) $LogPath = "C:\Logs\AD_Cleanup_$(Get-Date -Format 'yyyyMMdd').log" # Fetch and Process Get-ADUser -Filter 'LastLogonDate -lt $TargetDate -and Enabled -eq $true' -Properties LastLogonDate | ForEach-Object { $User = $_.SamAccountName try { # Use -WhatIf for safety during testing Disable-ADAccount -Identity $_.DistinguishedName -ErrorAction Stop Add-Content -Path $LogPath -Value "SUCCESS: Disabled $User (Last Login: $($_.LastLogonDate))" } catch { Add-Content -Path $LogPath -Value "ERROR: Failed to disable $User. Check permissions." } }

Most portfolios live on shared hosting—cheap, easy, but restricted. For my infrastructure, I chose a Virtual Private Server (VPS). Here’s why a Systems Engineer treats their “home on the web” like a production environment. 1. The Isolation Advantage On shared hosting, you are at the mercy of your “neighbors.” If another site on the same IP gets hit with a DDoS or runs a malicious script, your site slows down or goes dark. On my VPS, my vCPU and RAM are mine alone. ...