Task automation and configuration management software may execute command lines that automate one or more computer tasks and functionalities. A non-limiting example of a task automation and configuration management software may include PowerShell. PowerShell is a software execution environment having an associated scripting language. A computer executing a PowerShell instance will perform various functions according to a script currently being executed. A PowerShell script may remotely issue a series of operating system-based commands (e.g., Windows® commands). A beneficial feature of PowerShell scripting is that it allows for task automation and device configuration management, as a background execution service that may be imperceptible or not readily apparent to users. However, often attackers may produce PowerShell script code causing devices to perform undesirable functions without users' knowledge. For example, PowerShell scripts may contain malicious code functions, such as key-loggers and screen scrapers, which may execute without a user realizing the script was or is executing. Another complication with PowerShell is its prevalence in some enterprises—PowerShell may be installed and executed on many or most enterprise workstations of an enterprise. In such enterprises, the frequency PowerShell script-execution instances among enterprise devices may complicate efforts in detecting malicious PowerShell scripts.
Conventional antivirus software may scan enterprise devices for possible viruses or malware. Similarly, traditional configuration management software may scan enterprise devices for compliant configurations, such as confirming that enterprise workstation operating systems have installed the appropriate software patches. However, these conventional software tools are ineffective or inefficient for addressing the vulnerabilities presented by malicious PowerShell scripts. Conventional antivirus software is configured to scan hard drives to identify any compiled executable files, sometimes called “binaries,” having machine code that matches to malware “signatures” that are referenced by the antivirus software. However, conventional antivirus software cannot search each non-compiled script file on remote systems to identify potentially malicious instructions within the script prior to execution. Some rare antivirus products may identify PowerShell scripts during a hard drive scan, but this functionality merely identifies the existence of a PowerShell script. These antivirus products cannot review the underlying content of the script code and then make a determination whether the code is malicious or benign.
Moreover, conventional configuration management software cannot scan the content of files, file-by-file, on a remote system. At best, configuration management software may determine whether the operating system, patches, and programs of the remote enterprise workstations conform to a particular “gold load,” predetermined operating system configuration, or some set of expected files. However, configuration management software cannot detect whether malicious instructions are located within scripting files on the remote workstations.