Endpoint management company Automox is unveiling Worklets Signing, which complements Worklets and Ask Otto with a view to helping companies dodge the dangers of PowerShell abuse and unsigned scripts.
Jason Kikta, chief information security officer (CISO) at Automox, said that scripting actions on a Windows machine to push out using Active Directory (AD) group policy has become harder, with on-prem versions of AD increasingly deprecated for “modern cloud-compatible” identity and access managers (IAMs).
“Writing PowerShell can be daunting and time-consuming for junior employees – and more than a few senior ones as well. Moreover, PowerShell itself has become a major focus for abuse by threat actors,” Kikta explained via an Automox blog post.
Automox has been tackling related PowerShell issues in three phases – including plug-and-play automations or Worklets enabling scheduling, policy setting and PowerShell push-out to the Windows endpoint.
Secondly, the vendor has rolled out gen-AI tool Ask Otto. This uses a large language model (LLM) to help teams draft scripts, while also taking advantage of the Automox Worklets Catalog library of plug-and-play IT automations for “hundreds” of Windows, macOS and Linux use cases, Kikta said.
“Soon we’ll unveil phase three: Worklet Signing,” he added.
Kikta said signing and validation of PowerShell scripts was about addressing security concerns around PowerShell abuse yet managing keys securely had been burdensome for IT departments.
Automox was aiming to reduce this pain by handling “the most pernicious bits”, he said, such as secure key generation and storage, public key distribution to the endpoint, and seamless signing for authorised IT team employees.
“Signed PowerShell paired with RemoteSigned or AllSigned execution policies can help to reduce your potential attack surface,” Kikta said.
“Signing scripts offers assurance that what you wrote is what will be executed – no malicious modifications. Signed scripts as well as a well managed RBAC (role-based access control) can ensure the strongest possible technical control between authorisation to write and authorisation to execute.”
Customers can opt in to sign every PowerShell command sent through Automox, helping ensure critical endpoint management tasks, such as configuration updates, aren’t changed in transit to managed devices, said Kikta.
“Dual-use and fileless PowerShell scripts comprise [many] of the critical security threats on endpoints,” he added.
A 2020 survey by Cisco found that PowerShell was the source of “more than a third” of critical endpoint security threats in one six-month period, as reported by eSecurity Planet in 2021.