> For the complete documentation index, see [llms.txt](https://otter.gitbook.io/red-teaming/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://otter.gitbook.io/red-teaming/notes/powershell/powershell-code-signing.md).

# PowerShell Code Signing

PowerShell code should be signed, from an offensive standpoint, to allow it to be executed under stricter application whitelisting policies and circumvent execution policy enforcement.

The following formats can have signatures

* ps1
* psm1
* psd1
* ps1xml
* psc1
* cdxml
* mof

To create a self-signed certificate we can use

```powershell
$Arguments = @{
	Subject = 'CN=My Self-signed Code Signing'
	Type = 'CodeSigningCert'
	KeySpec = 'Signature'
	KeyUsage = 'DigitalSignature'
	FriendlyName = 'My Self-signed Code Signing'
	NotAfter = ((Get-Date).AddYears(3))
	CertStoreLocation = 'Cert:\CurrentUser\My'
}
$TestCodeSigningCert = New-SelfSignedCertificate @Arguments
```

```powershell
Add-Type -TypeDefinition @'
	using System;
	public class Test {
		public static void Main(string[] args) {
		Console.WriteLine("Hello, PowerShell!");
		Console.ReadKey();
	}
}
'@ -OutputAssembly HelloPowerShell.exe

$MySigningCert = ls Cert:\CurrentUser\My\ | ? { $_.Subject -eq 'CN=My Self-signed Code Signing' }
Set-AuthenticodeSignature -Certificate $MySigningCert -TimestampServer 'http://timestamp.digicert.com' -FilePath .\HelloPowerShell.exe
```

And to add a trusted root certificate

```powershell
$MySigningCert = ls Cert:\CurrentUser\My\ | ? { $_.Subject -eq 'CN=My Self-signed Code Signing' }
Export-Certificate -FilePath exported_cert.cer -Cert $MySigningCert
Import-Certificate -FilePath exported_cert.cer -CertStoreLocation Cert:\CurrentUser\Root
Get-AuthenticodeSignature HelloPowerShell.exe
```

Catalog-signing permits signing of any file type regardless of “signability”. A catalog file is effectively a list of hashes that can be signed.

```powershell
mkdir NewModule
'Write-Host "This is an awesome module!!!"' | Out-File .\NewModule\NewModule.psm1

New-FileCatalog -CatalogVersion 2 -CatalogFilePath .\NewModule.cat -Path .\NewModule\
Move-Item -Path .\NewModule.cat -Destination .\NewModule\

Test-FileCatalog -FilesToSkip .\NewModule\NewModule.cat -CatalogFilePath .\NewModule\NewModule.cat -Detailed

$MySigningCert = ls Cert:\CurrentUser\My\ | ? { $_.Subject -eq 'CN=My Self-signed Code Signing' }

Set-AuthenticodeSignature -Certificate $MySigningCert -TimestampServer 'http://timestamp.digicert.com' -FilePath .\NewModule\NewModule.cat
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://otter.gitbook.io/red-teaming/notes/powershell/powershell-code-signing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.