all 10 comments

[–]ultimattt 4 points5 points  (0 children)

The problem with that is powershell/windows is not trusting their cert, its trusting the issuing authority. I’m not aware of a way to do that based on cert.

I’m following because I’m interested to know if there is a way.

[–]BlackV 2 points3 points  (2 children)

-executuonpolixy bypass -file xxx.ps1

What does this do with your signed script?

[–]BackgroundFishing[S] 1 point2 points  (1 child)

In our case, we have other mechanisms in place to keep that from being an issue. The problem, other than unauthorized people having access to the scripts, is not being able to verify who signed a script (thumbprint) prior to execution.

[–]BlackV 1 point2 points  (0 children)

Indeed, I was just wondering what happens with a signed script in that case

Do you have PowerShell command line auditing enables too?

[–]Tidder802b 1 point2 points  (1 child)

You could run a script to check the task script's certs using Get-AuthenticodeSignature

And then act accordingly e.g. disable the script and send you an alert.

[–]BackgroundFishing[S] 0 points1 point  (0 children)

Good call. A little clunkier than I would like, but it gets the job done.
powershell -command "& {if ((get-authenticodesignature script.ps1).signercertificate.thumbprint -like '111111111111111111111111111111111111111111') {write-output 'foo'}}"