BlackFog provides two possible techniques for permitting known PowerShell scripts to execute at startup. The first using allow lists (whitelisting) and the second privilege elevation with a secondary script.
Since BlackFog 4.5 or later it is possible to add PowerShell scripts to the allow list within the application or the enterprise console. Just open the allow list tab and type the name of the PowerShell script as “mypowershell.ps1” or “partialpath\mypowershell.ps1”. We highly recommend you include a path so that other shell scripts of the same name will not be matched.
It is important that PowerShell scripts designed to run at startup use the correct techniques so they are not detected as possible threats which use deceptive commands to bypass system security. This will require the creation of 2 separate files, a .CMD file and the normal powershell script with .PS1 extension.
Create a startup.cmd file and enter the following lines:
PowerShell -Command “Set-ExecutionPolicy Unrestricted -Force” >> “%TEMP%\StartupLog.txt” 2>&1
PowerShell C:\Users\\Desktop\script.ps1 >> “%TEMP%\StartupLog.txt” 2>&1
PowerShell -Command “Set-ExecutionPolicy Restricted” >> “%TEMP%\StartupLog.txt” 2>&1
This will enable the PowerShell script to execute without using subversive commands used by fileless malware. The command file will enable the PowerShell to execute the script at the path specified and log the behavior to a log file. It will then set the policy back to restricted when complete.