Keep the productivity, lose the risk

Automated security scanning and code signing for PowerShell scripts

What is PowerShell and what’s the problem?

PowerShell is a powerful scripting language that can automate various tasks on a system. Workers in an organisation can use PowerShell scripts to streamline their work and improve their productivity. However, using PowerShell scripts from the internet can pose a significant security risk to an organisation.

An attacker could modify a PowerShell script to include malicious code, such as downloading and executing malware, stealing sensitive data, or performing other malicious actions. The modified script could then be used to compromise the security of the organisation's network and systems.

When workers in an organisation find PowerShell scripts on the internet, they need to carefully assess the scripts' trustworthiness before running them. This involves checking the script's content and ensuring that it has not been tampered with or modified since it was created.

What can be done?

Automated security scanning and digitally signing PowerShell scripts can help mitigate the risk of malicious scripts being run by workers in an organisation. Automated security scanning, including running it in a security sandbox, can quickly identify any potential malicious code in a script and determine if it’s safe to run. Additionally, digitally signing the script ensures that it has not been tampered with since it was last scanned, and provides a way to verify its origin and authenticity. This can help prevent unauthorised or malicious scripts from being executed and increase the overall security posture of the organisation.

Macrosine offers a comprehensive security solution that allows you to upload your PowerShell scripts via its easy-to-use web interface where they are scanned, sandboxed, detonated, and validated for safety. Once validated, the files are digitally signed for added security.

By configuring your environment to only allow the execution of signed PowerShell scripts, you can ensure the highest level of assurance.

For flexibility and rapid deployment, Macrosine can be installed on your on-premises infrastructure or Azure subscription.

Let’s get technical

PowerShell script signing

PowerShell signing policy is a mechanism that allows organisations to enforce a level of trust on PowerShell scripts that are executed within their environment. The policy works by requiring that scripts be digitally signed before they can be executed on a computer. When a script is signed, it is assigned a digital signature that includes information about the publisher of the script, the date and time it was signed, and other details.

PowerShell signing policy is enforced through Group Policy settings that are defined in Active Directory. These settings control whether scripts can be run on a computer, and if so, what level of trust is required. The policy can be set to one of three levels:

  1. AllSigned: This setting requires that all PowerShell scripts be digitally signed by a trusted publisher before they can be executed on a computer. This provides the highest level of security and is recommended for systems that are particularly sensitive or critical.

  2. RemoteSigned: This setting requires that any PowerShell script that is downloaded from the Internet or other network location must be digitally signed by a trusted publisher. However, locally created scripts can be run without a digital signature. This setting is recommended for systems that are less sensitive or critical.

  3. Unrestricted: This setting allows any PowerShell script to be executed on a computer without a digital signature. This provides the least level of security and is generally not recommended, except in situations where the risks associated with a particular script are well understood and acceptable.

In summary, PowerShell signing policy is a security mechanism that helps to protect against the risks associated with unsigned scripts. By enforcing a level of trust on PowerShell scripts, organisations can reduce the risk of malicious or unauthorised scripts being executed on their computers.

Security scanning and sandboxing

Running a PowerShell script in a security sandbox can help validate that it is safe to use because the sandbox is a secure and isolated environment. A sandbox runs in a virtual machine, which is an emulated computer environment that is completely separate from the host operating system. When a PowerShell script is run in a sandbox, it cannot interact with the host system or any other applications running on the host system.

The sandboxed environment can be used to analyse and validate the behavior of a PowerShell script by observing its interactions within the sandbox. This can be done by monitoring the file system, registry, network traffic, and other system resources. This allows any malicious behavior to be detected and prevented before it can cause any harm to the host system.

In addition, PowerShell scripts can be scanned for malware using antivirus software within the sandbox, ensuring that only safe and verified scripts are allowed to run outside of the sandbox environment. By scanning scripts for malware, organisations can ensure that the PowerShell scripts they are using are safe and not infected with any malicious code.

Do I really need an app for this?

Security scanning

Manually security scanning a PowerShell script can be challenging for several reasons:

  1. Time-consuming: PowerShell scripts can contain hundreds or thousands of lines of code. Scanning each line manually can be time-consuming and inefficient.

  2. Complex syntax: PowerShell scripts can have complex syntax, and it can be challenging to identify all the possible functions and commands that may pose a security risk.

  3. Obfuscation techniques: Malicious actors may use obfuscation techniques to hide the true intent of a PowerShell script. Manually scanning for such techniques can be challenging and time-consuming.

  4. Limited expertise: Security analysts may not have the expertise required to identify all the possible security risks that a PowerShell script may pose.

Overall, manual security scanning of PowerShell scripts is time-consuming, complex, and prone to human error. A security sandbox can automate the scanning process and help identify potential security risks in a faster and more efficient manner.

Code signing

The challenge with applying a digital signature to a PowerShell script is that it requires a good understanding of how digital signatures work, as well as knowledge of the tools and processes involved in applying them. Additionally, different organisations may have different policies and procedures for applying digital signatures, which can make it difficult to know which approach to take.

Applying a digital signature to a PowerShell script typically requires multiple code signing certificates and specialised code-signing and certificate management tools, which often has to be replicated for each developer or administrator looking to use PowerShell scripts. Each worker also needs to understand the processes involved in getting setup to be able to digitally sign scripts, and the processes to apply the digital signature.

Macrosine makes it easy

Having an easy-to-use tool that automatically runs a PowerShell script in a sandbox and applies a digital signature streamlines the process of ensuring that PowerShell scripts are both safe and trusted. Macrosine allows users to easily upload and scan their scripts in the sandbox, which helps identify any malicious code or potential security risks before the script is signed.

Macrosine also automates the process of applying the digital signature to the PowerShell script to verify its authenticity and ensure that it has not been modified since it was signed. By having Macrosine to automate this process, users can save time and ensure that their PowerShell scripts are properly validated and signed.

Additionally, having an easy-to-use tool can encourage users to adopt security best practices and reduce the risks associated with using untested and potentially malicious PowerShell scripts. This can help improve the overall security posture of the organisation and reduce the likelihood of a successful cyber attack.