Following on from the first deep dive interview with @Mrichards, we have @jesumyip this time to tell us more about the creation process for his scheduled task worklet.
Nic: What was the impetus for creating this worklet?
Je Sum: I wanted to duplicate GPO behaviour. My goal was to eventually replace GPO in my organization with Automox. And one of the most troublesome behaviour to remove is when a group policy runs in the user context. It is difficult (not impossible, but a lot of code is required in the worklet) for the Automox agent to duplicate that behavior given that it runs in the SYSTEM context.
Nic: What difficulties or obstacles did you run into?
Je Sum: Trying to figure out how to work this using 100% Powershell only. I eventually realized it cannot be done - you need access to COM to complete the task.
Nic: What sorts of scheduled tasks are you automating using this worklet?
Je Sum: It is mostly registry changes now - for example, disabling macros in Office to avoid macro-related malware from spreading easily. Basically anything that requires access to HKCU of the registry hive. This was triggered by a global Emotet campaign around the second half of last year.
Nic: How did you get started writing scripts in Powershell?
Je Sum: That goes back many years. 🙂 I started working on computers with an Apple II+, learning BASIC and then moving on to 6502 assembly language. I eventually moved on to Pascal, C, C++, and VB on Windows. From there, it was easy to pick up VBScript (I never could get batch files to do the things I wanted to due to its limited functionality). And when Microsoft introduced, Powershell, I immediately fell in love (especially coming from what I used to work with C and C++).
Nic: What are your favorite scripting resources?
Je Sum: Google, Stackoverflow, and ss64.com.
Nic: What is your number one feature request or improvement idea for the Worklet system?
Automox has already implemented it - a worklet repository - built by Automox, community members, and Automox customers who are willing to share. There’s so much you can do with Powershell.
–
Thanks for taking the time to answer our questions @jesumyip! If anyone has any other questions they’d like to ask, feel free to reply below.
