Hello friends! It has been an embarrassingly long time since I last posted. For those of you who don’t know, I’m now a Product Lead at NinjaOne on their RMM side. I’ve been super busy over the past 10 months helping to outline and build the RMM of my dreams!
As IT service providers transition in to the new and better security tools, delivering custom PowerShell without triggering a security suite has become more and more challenging. PowerShell scripts are a really common medium for attackers to gain a foothold, so it should not be a surprise that security software treats them suspiciously, especially when the PowerShell scripts are making changes to the system or enumerating/capturing information.
To help these security tools differentiate between ransomware being delivered by a bad actor and scripts that you are just running through Ninja, one solution could be to digitally sign the scripts being run.
Learning how to sign PowerShell scripts is an important point for this. https://adamtheautomator.com/how-to-sign-powershell-script/ does a great job of explaining the process of signing a script. The one point I would re-iterate is you should consider purchasing a proper code signing certificate. A code signing certificate is a digital certificate that can be used to cryptographically tie an identity (IE you or your company) with a piece of code (IE your script). It also serves as a mechanism to make sure the code has not been tampered with or changed. Though it’s possible to do this with a self-signed certificate, you’d need to deploy that certificate to every endpoint. Purchasing a proper code signing certificate from a proper trusted authority will mean the certificate will be verified on most devices automatically.
Once you have your signed PS1, you can import it in Ninja by going into your script/automation library in Ninja, and choose to add a new script and import from file/computer. It’s imperative that you don’t make a single change to the script body, even an errant space or a new line break or a single character change will render the script unsigned. When you then run or utilize that script from inside Ninja, when the agent generates the file to execute it will have a digital signature.
You can generally use that digital signature or the certificate as a mechanism to whitelist or allow behaviour for your signed scripts in your security product.
I was stuck here for a bit. Ive been signing DattoRMM automation components for a while now, but as i moved to Ninja it took a while to figure out the file encoding is different. Ninja uses UTF-8 whereas DattoRMM uses UTF-8 w/BOM.