Worklet Deep Dive (August 2021)

Hi, everybody - Chad here. As we keep re-launching some popular recurring posts, I discovered the Worklet Deep Dive interview series, where we get some details into the creation of a specific worklet. This month, we’re talking to @marina about her SeriousSAM/HiveNightmare LPE Vulnerability worklet and how it came to be.

What prompted the creation of this particular worklet?

This worklet stemmed from the disclosure of a 0-day impacting Windows machines, so time was of the essence to get this tested and shipped to protect users and customers. I also wanted to try my hand at PowerShell scripting, so this was an opportune moment to help protect customers and get some practice.

What difficulties or obstacles came up while creating it?

Well, I’ve never written a Windows worklet before, and I have limited PowerShell scripting prowess, so there was a steep learning curve for me. For the script itself, there were lots of variables to account for: presence of shadow copies, presence of builtin users, variability in error messages and stdout, x64 vs x86 systems paths and code, code running as ADMIN vs code running as a low privileged user, etc. I also had time constraints to get this code tested, validated and shipped in a timely manner to decrease the window an attacker could exploit this 0-day.

How well is it working and have you been able to identify any network issues with it?

In the first few iterations, I received some “Command timed out” errors within the Automox activity log, but the worklet actually completed successfully. Additionally, I had some issues with getting stdout to output in the Activity Log. I had to dig into error logs and messages to figure out the issue. Also, 99.9% of the time (don’t quote me on that exact statistic), scripted deletion of shadow copies via Vssadmin or PowerShell is likely malicious, so understandably, endpoint detection and protection solutions posed interoperability issues with the Automox agent running this worklet. I had to create an exception for Automox deleting shadows for good :wink:

For the most part, the worklet is working as expected, but there were some discrepancies with certain versions being vulnerable and other versions not. There doesn’t seem to be detailed literature on which versions outside of Windows 10 build 1809 and above that may be vulnerable to this 0-day. Additionally testing on a fresh VM isn’t as realistic as testing on a real-world machine. For instance, shadow copies weren’t available on my newly built VMs, so I did my best to replicate a close-to-real-world Windows box.

Have you seen any feedback from end users?

Yep, got some valuable feedback from end users regarding language compatibility with the “Builtin users” not translating in other languages, and thereby returning a false compliance message. Also, as expected, some end users experienced their endpoint protection vendors blocking the deletion of shadow copies.

Now that it’s been in use for a while, what would you like to add to a v2 of this worklet?

I would like to address the language compatibility issues, and be more detailed in communicating stdout feedback with the worklet administrator for troubleshooting purposes.

This is your first Windows Worklet. How did you get started writing scripts in Powershell?

Funny thing is I used to do threat research, so I only had experience using PowerShell for “bad,” downloading and invoking malware on disk or in memory or invoking malicious scripts from github, pastebin, etc. This was my first time scripting PowerShell for “good.” My experience with PowerShell was primarily analyzing, decoding, and running malicious PowerShell scripts, a vast majority of that being copy-pasta code any script kiddie could write or google. I would key off of common combinations of PowerShell cmdlets or expressions to detect or block malicious behavior.

What are some of your favorite scripting resources?

I used to attend Hal Pomeranz’s webinars. The ones I attended were primarily Linux-centric, but he really is a command line master and I aspire to his level of mastery. Speaking of which, I should probably go back to attending more webinars. I used to read the Command Line Kung Fu blog as well, but that hasn’t been updated in a few years.

For the Windows side, I don’t know if it’s my “favorite” resource, but it’s how I learned - I analyze Github scripts. I learn by seeing and doing, and there are a bunch of pentesting scripts and sys admin scripts that are helpful to learn from.

If you could implement one feature request or improvement idea for the worklet system tomorrow, what would it be?

It would definitely be better error logging and audit logging. Troubleshooting was not very straightforward and sometimes I did not receive any feedback period. I want to know what failed, where, and why. That would make creating and testing worklets much smoother.

Thanks, Marina! If you have questions for @marina or would like some more info, just let us know in the comments.