SentinelOne Agent compliance script

S1ACompliance.ps1

$Installed = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" }

If ( -Not $Installed ) {
    # Sentinel Agent not installed/missing.
    Return $false
} Else {
    $Version = $Installed.Version
    $SentinelCtl = "C:\Program Files\SentinelOne\Sentinel Agent $Version\SentinelCtl.exe"
    $Status = & $SentinelCtl "status"

    $Compliant = $true

    If ( $Status -contains "SentinelAgent is not loaded" ) {
        $Compliant = $false
    } 

    If ( $Status -contains "SentinelCtl.exe was run from an old") {
        # Indicates mismatch between installed version and running version. Could be corrupted install.
        $Compliant = $false
    }

    If ( $Status -contains "SentinelMonitor is not loaded" ) {
        $Compliant = $false
    }

    <# Disabled, unsure how common this is disabled on healthy clients but common on systems with Agent unloaded.
    If ( $Status -contains "Self-Protection status: Off" ) {
        $Compliant = $false
    }
    #>

    Return $Compliant
}

There is surprisingly little information on this cli tool. Are you aware of what create_agent_analyzer_report parameter will do?

@mattcargile That's the built in function for dumping a report of:

• Host information (general)
• Agent starts and stops
• Top processes the agent spent monitoring
• Agent CPU % sampled every 5 minutes

./SentinelCtl.exe create_agent_analyzer_report -o C:\Windows\Temp\Analyzer.txt would output the equivalent of the LatestActivityAnalyzerReport.txt that you'd find in a SentinelOne LogFetch archive to the specified output directory. If you run the same command without the -o output parameter it'll show you the options like:

• -s for start time
• -e for end time
• -m for last X minutes (default 240)
  I'm not sure why the Windows binary doesn't show this option in the -h help command as it does on Linux and macOS (IIRC).

@keyboardcrunch , you are the best! 👍 That is a neat tool! I was able to get that help output once I tried it.

And I was wondering if you knew anything about this repo? I go into more depth in this issue. Additionally, what your take, generally speaking, on the behavior and the performance of these injected scripts and breakpoints. I didn't like it because it broke piping behavior like get-psbreakpoint | remove-psbreakpoint. And they pollute the global variable namespace with other variables like $item. I assume this behavior can be managed by an item in sentinelctl.exe configure ?

I've not see that repository before but I'm aware of SentinelOne's use and commented in this thread on Twitter a while back, it's part of the PowershellProtection feature of the agent. It can be turned off locally on a single host with ./SentinelCtl.exe config powershellProtection false -k "AGENT PASSPHRASE", doing so will not disable AMSI so CommandScript EDR data will still be collected by the agent.
I wouldn't do this globally, but it can be done by and administrator through Policy Override. Standard Interoperability exclusion should also resolve any issues you're running into, so you could just exclude your impacted script.

Thanks again! Big help. I don't see that configuration Item. I see the below when searching the config for "power".

agent.deepVisibility.scripts.powershell
agent.monitorConfig.preemptionConfig.processes

To "fix" on my end, I add the below to my $PROFILE. Otherwise, my powershell.exe session workflow isn't usable especially with modules like ZLocation.

# Sentinel One Clean up.
# VS Code doesn't have the same issue for some reason.
if ($PSVersionTable.PSEdition -eq 'Desktop' -and $env:TERM_PROGRAM -ne 'vscode') {
    # Addition of breakpoints slow down the session. Calling fully qualified function to avoid using function override.
    Microsoft.PowerShell.Utility\Get-PSBreakpoint | Microsoft.PowerShell.Utility\Remove-PSBreakpoint
    # Software doesn't clean up these variables
    Remove-Variable -Name 'item', 'Po_wer_Spl_oit_Indicators' -ErrorAction 'Ignore'
    # Software overrides and hooks into these functions and breaks things. For instance, `gbp | rbp` doesn't work
    Remove-Item -Path 'Function:\Get-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Disable-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint' -ErrorAction 'Ignore'
    # Other functions added that aren't needed
    Remove-Item -Path 'Function:\Disable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Get-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy_Hook' -ErrorAction 'Ignore'
}