Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
PowerShell Module Management: Install, Import, and Update
A client called us on a Monday morning because half their admin team couldn’t run Exchange management commands. The other half could. Same servers, same accounts, same Group Policy. Turned…
Automating ODBC DSN Management with PowerShell Remove-OdbcDsn
Orphaned DSNs and the Ticket That Started It All The ticket read: “Application can’t connect to the database.” After remoting into the server, I ran Get-OdbcDsn and found seventeen ODBC…
vSphere 6.7 Fault Tolerance: VMDK and RDM Restriction Checklist
A Client Call That Could Have Gone Better One of our managed healthcare accounts called in after a failed attempt to enable Fault Tolerance on a production SQL VM. The…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…
AdExplorer: Browsing and Snapshotting Active Directory Offline
The Change Nobody Documented Three service accounts disabled in production. No change ticket. No record of who did it or when. The helpdesk was fielding calls for forty minutes before…
PowerShell For, ForEach, and While Loops Explained
Six Hours of Copy-Paste, Gone in One Loop Last quarter we inherited a client environment with 140 Windows servers. The previous admin had been manually checking disk space on each…
Monitoring Disk Space and Sending Alerts with PowerShell
A Full Drive at 2 AM Is Never Just a Full Drive Last quarter, one of our managed customers had a file server hit 99% disk utilization on a Saturday…
Windows Admin Center: Browser-Based Server Management Done Right
The Ticket That Changed How We Manage Servers Last year, a logistics client with fourteen Windows Server instances across two sites called us in a panic — their lone sysadmin…
Forensic Triage on Windows: Rapid Evidence Collection
The Clock Is Already Running Your SIEM flags a suspicious PowerShell execution on a domain controller at 11:43 PM. The endpoint detection tool confirms process injection consistent with MITRE ATT&CK…