When you digitally sign scripts, you can easily tell whether a script was manipulated or comes from an untrusted source. Here is a function that can find all PowerShell scripts on a drive or in a folder and lists security issues:
function Test-PSScript($Path='C:\', [switch]$UnsafeOnly) { Get-ChildItem $Path -Filter *.ps1 -Recurse -ea 0 | Get-AuthenticodeSignature | Where-Object { ($_.Status -ne 'Valid') -or ($UnsafeOnly -eq $false) } | ForEach-Object { $result = $_ | Select-Object Path, Status switch($_.Status) { 'notsigned' { $result.Status = 'no digital signature present, unsafe script.' } 'unknownerror' { $result.Status = 'script author is not trusted by your organization.' } 'hashmismatch' { $result.Status = 'script content has been manipulated.' } 'valid' { $result.Status = 'trusted script in original condition.' } } $result } } Test-PSScript c:\ | Format-List
