How We Worklet: macOS Incident Response (IR) Scripting Made Easy

Welcome to the second installment of our new blog series: How We Worklet.

Today, we have the great pleasure of talking shop with Automox Sr. Security Engineer extraordinaire Marina Liang about her Winning Worklet built to enhance your macOS Incident Response (IR) scripting experience.

But before we dive in and discover what Marina’s IR scripting Worklet is all about, let’s briefly touch on the mission of this blog series. Then we'll revisit just what a Worklet is and how you can use them within Automox.

From the How We Worklet series, you can expect to get a glimpse at how we're using our own product internally. Throughout the initiative, we'll share creative ways to use Automox beyond simple patching. We'll also address unique business and test cases.

Recap: What’s a Worklet and how is it used?

Automox Worklets™️ are super helpful automation tools. Worklets hand over the reins so you can automate any scriptable action on macOS, Linux, and Windows devices. What soul-crushing, manual task vexes you most? Script it and eliminate it.

When you write or use existing Worklets, you give your organization a shot at reaching its full automation potential. The best part is that Worklets help you do away with time-consuming manual tasks and help with compliance efforts.

Leverage Worklets to remediate zero-day or unpatched vulnerabilities. Or use them to configure your devices, disconnect unauthorized applications, roll back patches, etc.

To learn more about what a Worklet is and how it works, jump over to the Automox Community.

Today’s Winning Worklet: Incident Response Capture Script

Watch today's Winning Worklet brought to you by Sr. Security Engineer Marina Liang.

Marina is a Senior Security Engineer on Automox’s Corporate Security team. Marina’s position encompasses pretty much everything security at Automox: Incident response, threat hunting, security tooling, curating detection and prevention rules, monitoring alerts, etc.

Marina’s background is in the next-generation antivirus/endpoint detection and response (NGAV/EDR) space. She’s spent a great deal of time triaging alerts, threat-hunting, and query-building to detect and prevent malicious behaviors. In her former life, Marina worked as a senior threat analyst, performing deep investigations into threats occurring on customer endpoints.

We sat down with Marina to learn more about her IR scripting Worklet and the different use cases to which it can be applied. Here’s what she said:

Why did you build this Worklet? What problem does it solve?

I wanted the macOS Incident Response (IR) Capture Script to solve a few issues:

  1. Most of the NGAV/EDR industry is Windows-centric. That encompasses EDR/AV vendors, training, and miscellaneous resources. There are a few solid macOS researchers out there who provide extraordinary contributions to the macOS community, but the amount of resources geared to Windows outnumbers macOS trifold.

  2. Incident response is hard. There are so many things you need to identify, locate, and grab from an infected machine. Attackers could utilize various tactics, techniques, and procedures (TTPs) to compromise a system or enterprise. There are a ton of tools and commands you can use to identify malicious activity. This Worklet serves as a starting point for relevant output for an incident responder (or the one-person IT shop who wears a lot of hats) to investigate.

What task does this Worklet accomplish?

The macOS Incident Response (IR) Capture Script Worklet uses the following data points to grab relevant output and context to start an investigation:

  • Network activity

  • User context and activity

  • Processes running

  • Persistence mechanisms

  • Command history

  • Environmental variables

  • Browser info

  • and more!

How long did it take to build?

Writing the Worklet didn’t take all that long. However, the research that went into writing it took some time. There are so many directories and logs that could serve as valuable insight, so narrowing down the basics proved difficult.

I wanted to make sure we covered all our bases and make it as easy as possible without having to download a ton of external dependencies or tools.

Additionally, some of the output can be verbose and quite noisy, so figuring out what commands and files were the most helpful from a triaging perspective was crucial.

How does it work?

The macOS IR Capture Script Worklet creates an IR folder, runs a series of commands, and outputs their results into aptly named text files within that folder. It also grabs certain logs and database files. It will then zip up the files for extraction. At the time of this writing, an analyst will need to use an external tool (remote desktop, EDR remote shell, etc.) to extract the zip file.

Before you built this Worklet, how much time did it take to do the same task(s)?

It’s difficult to discern how long manually pulling relevant data points off of an endpoint would take. Some of the data we have logged in our EDR solution, but more volatile data requires a timely response.

Typically, the incident responder (or handler) would be the one to remote into the endpoint in question and manually grab all this data. Then, they have to sit there and parse through to “find evil.” This could take anywhere from 30 minutes to a few hours or more. Typically this task would be spread across two or three responders to amply cover our bases.

The responder has to have a working knowledge of macOS file structure and persistence mechanisms. They’d also need to know where to look, what directories to parse, and what commands to run.

Now that you have this Worklet, how much time does the same task take?

Now, it takes a super-short amount of time. When the Automox agent checks in, it’ll run the Worklet at its scheduled (or on-demand) time, pull the relevant data, and zip it. It should take less than a minute and anyone can use it.

Is this Worklet device-specific?

Yep. The IR Capture Script Worklet is just for macOS.

Which type of IT or security role might especially benefit from using this Worklet?

IT, SecOps, and incident responders would benefit from using the IR Capture Script Worklet. Really, anyone who works with endpoints in a security capacity could benefit from leveraging it.

Have you been able to measure any quantitative outcomes as a result of implementing this Worklet?

Screenshot of test output

The Worklet outputs all system logs, browser extensions and information, in-use daemons, and environment variables. bash history, keychain access, all logged-in users, persistence indicators, running processes, and certs. It gives a very thorough point in time view of a machine for incident response and investigation.

On average, this could save up to an hour of critical response time. It would also cut down on needing two or three responders to run queries. You’ll likely need one incident responder to grab the output and parse through looking for suspicious line items. The goal is to free up time for others to work on more pressing tasks.

And finally… just for fun, if this Worklet were an animal, what would it be and why? What would its theme song be?

If this macOS Worklet were an animal, it would be a lone wolf. Like a wolf stealthily hunting in the wilderness, the Worklet efficiently runs in the background, unbeknownst to users. Similar to how the lone wolf breaks from the pack, this Worklet focuses on macOS in an industry that is so Windows-centric.

The IR scripting Worklet’s theme song would be “Every Breath You Take” by the Police because it is always watching the activity of that endpoint as it attempts to track relevant artifacts of the attacker.

If you're already an Automox customer, you can find the macOS IR Capture Script Worklet in our Automox Console Worklet Catalog. Log into the console for access. If you aren't yet using Automox, go ahead and get started with a free trial to test this Worklet out for yourself.

Stay tuned for more Winning Worklets

Remember, anyone can create and offer up a Worklet in our online community. Though some Worklets are written by the Automox team, our customers also have great ideas that come to life in Worklet form.

To dive deeper into Worklets and discover what they can do for you, check out the Community Worklets catalog. Here you’ll see what new Worklets are available. You can also ask questions about how Worklets function or submit your own!

Until next month, be well and Worklet on.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic