I'm looking to enforce a policy that only allows signed PowerShell scripts moving forward, but before I do that, I need a way to detect any existing unsigned scripts. The goal is to identify and modify all unsigned scripts to prevent any process disruptions. Unfortunately, I've had a hard time finding clear solutions to help with this. My vSOC team might help, but their capabilities seem limited in this area. Does anyone have tools or methods that could assist in detecting unsigned PowerShell scripts?
6 Answers
Check for the signature block at the end of your scripts – it often starts with `# SIG # Begin signature block`. You can recursively look for this pattern in your scripts to identify unsigned ones easily.
Another handy command is `signtool.exe verify /pa "yourfile.ps1"`. It can help you check the signature status for specific scripts.
You can use the `Get-ChildItem` command combined with `Get-AuthenticodeSignature` to scan through .ps1 files in your scripts directory. It helps identify which scripts are signed and which aren’t.
I think enforcing signed scripts can be tricky since there are ways to bypass these restrictions. Consider that running PowerShell doesn't always require scripts to be in a '.ps1' format; people can easily run commands from other file types, like a '.txt'. You might want to tread carefully before going full throttle on this change!
Good point! Plus, if someone really wants to bypass the script signing, they could just launch a PowerShell instance and ignore the policy.
If you have the resources, consider using AppLocker. You can set it up to require signatures for scripts and monitor events in Event Viewer to see any audit logs without blocking them outright.
We handle script signing through our version control system like Git. Whenever someone checks in a script, it automatically gets signed. That keeps everything organized and compliant.
True! But if you implement WDAC, only signed scripts from trusted publishers will run in Full Language Mode, heavily restricting what malicious actors can do.