Configuring AD Audit Policies with PowerShell and GPO
A Missed Event Log Cost a Client Their Domain Admin Last year, a mid-size logistics company we manage came to us after discovering that a domain admin account had been…
Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Bash Functions: Defining, Calling, and Returning Values
Last quarter a client’s deployment script hit 900 lines with zero bash functions. Just a massive wall of sequential commands. When something broke at 2 AM, nobody could figure out…
Kubernetes Secrets Management: Encryption at Rest Audit
A Base64 String Is Not a Security Strategy Last year we were brought in to assess a mid-sized fintech company’s Kubernetes environment after a failed compliance audit. Their security team…
AD Server Parameter: FQDN vs NetBIOS Name Explained
While scripting a bulk user migration for a client last quarter, I hit one of those issues that wastes an hour before you realize what happened. Half the Get-ADUser calls…
Ransomware Encryption Analysis: Attack Mechanics on Windows
Forty-Seven Alerts at 2 AM and One of Them Was Real A managed services client called our SOC at 2:14 AM on a Tuesday. Their file server was throwing access…
PowerShell Module Management: Install, Import, and Update
A client called us on a Monday morning because half their admin team couldn’t run Exchange management commands. The other half could. Same servers, same accounts, same Group Policy. Turned…
Automating ODBC DSN Management with PowerShell Remove-OdbcDsn
Orphaned DSNs and the Ticket That Started It All The ticket read: “Application can’t connect to the database.” After remoting into the server, I ran Get-OdbcDsn and found seventeen ODBC…
vSphere 6.7 Fault Tolerance: VMDK and RDM Restriction Checklist
A Client Call That Could Have Gone Better One of our managed healthcare accounts called in after a failed attempt to enable Fault Tolerance on a production SQL VM. The…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…