Hi, everybody - Chad here, and welcome to our [somewhat] monthly worklet-focused series of interviews, where we get to chat with developers of worklets about their process, resources, and more. This month’s guest is community member and worklet creator
AX: What prompted the creation of this particular worklet?
Jack Smith: An EDR tool had a custom IOC built to detect when any endpoint saw the command net localgroup Administrators /add. This would trigger an alert for the Security team to review. Most investigations resulted in local admin permissions being granted by help desk so an end user could perform a manual task that required elevation. The follow-through on removing those permissions was hit or miss. Now there is a deeper discussion here as to why not just remote in, perform the task and call it a day. The issue there came down to convenience, scheduling and availability of the task being automated for repeat use. While true root cause is being worked out to reduce the need for this, this enables help desk to do the action, logged properly, filtered as an approved event in the EDR tool and peace of mind knowing the permissions will be revoked in a timely manner. The absolute best solution in my mind is software like Threatlocker that could manage this nicely. Sometimes however, to justify the added spend, sometimes you have to grow your own solution...
AX: What difficulties or obstacles came up while creating it?
JS: The Microsoft.PowerShell.LocalAccounts module is not available in 32-bit PowerShell on a 64-bit system. Automox worklets run in 32-bit PowerShell. This results in having to either encode the commands in a scriptblock and run in the 64-bit context or fallback to leveraging the net command.
AX: How well is it working and have you been able to identify any network issues with it?
JS: For the desired outcome, this has been working great. So far no gotchas.
AX: Have you seen any feedback from end users?
JS: Helpdesk enjoys the time saved from having to remember to remove credentials as well as having Security snooping around every use of the net localgroup Administrators command issued.
AX: Now that it’s been in use for a while, what would you like to add to a v2 of this worklet?
JS: I'd include in the rollback script a way to document UAC events used by the account during the time the account was elevated as local admin.
AX: How did you get started writing scripts in Powershell?
JS: Not my first worklet but a good question. My start was with the book PowerShell in a Month of lunches and consuming a lot of the videos presented by Jeffrey Snovers, Jason Helmik and Don Jones. Next was setting a goal to "script myself out of a job". Started looking at manual tasks I had to do over and over and incorporate those into a PowerShell script. Then came they what can I do just because. Meanwhile you gain perspective on time invested to time actually saved using the script. In the beginning there was way more time going into creation than time saved. Over time that gap improves. The teaching moment there is sometimes the time invested is for a payout much further down the road. Where I'm at today is knowing how to use the tool, but not polished in the sense of writing to account for all the things. I'm learning about
AX: What are some of your favorite scripting resources?
JS: I really like The PowerShell Gallery. There is a lot of examples to build from. Any of the unplugged events with Jeffrey Snovers and Jason Helmik. The month of lunch book series is also fantastic.
AX: If you could implement one feature request or improvement idea for the worklet system tomorrow, what would it be?
JS: Error handling. I've noticed exit 1 can often produce a dreaded "COMMAND TIMEOUT" message leaving all other effort to Write-Output to the activity log lost. I've since started slowly swapping out "exit 1" with "exit $LastExitCode" but now even script failure where I think someone should be tracking on the activity log is lost with a green indicator of success. When I got started writing Worklets in Automox the challenge is complementing the console visual indicators by leveraging error handling. Exit 1 will indeed get that visual red indicator that something didn't work, but the activity log is lost.