Acronis telemetry across 11,500 organizations shows that automation is highly concentrated, with most script activity coming from a small set of organizations and most teams relying on scheduled PowerShell tasks. AI-generated scripts are increasingly reaching production, while abandoned automation and embedded credentials create operational and security risks that make script governance essential. #Acronis #PowerShell #GitGuardian #GitHubCopilot
Keypoints
- Telemetry from 100 million automated script runs across 11,500 organizations shows automation is unevenly adopted and highly concentrated.
- The top 10% of organizations generate most automation activity, and organizations that automate heavily schedule 99.5% of their script runs.
- More than half of created scripts are never executed, and 85% become inactive or abandoned over time.
- PowerShell dominates real-world IT automation in managed environments, while Bash is mainly seen in macOS contexts.
- AI-generated scripts are increasingly moving into production and are more likely to be executed than human-written scripts.
- Forgotten scripts can expose embedded credentials, API tokens, and configuration details, increasing operational and security risk.
- Automation is also becoming part of the attack surface as attackers abuse legitimate administrative tools and scripting environments.
MITRE Techniques
- [T1059.001] PowerShell – Used as the dominant automation and execution environment in managed IT, and also as a tool attackers can abuse to execute commands, move laterally, and persist using built-in tooling (‘PowerShell dominates automation activity’ / ‘PowerShell continues to play a central role in real-world intrusions because it allows attackers to execute commands, move laterally and persist using tools that already exist inside the environment’).
- [T1059] Command and Scripting Interpreter – The article describes automation through scripting and notes that attackers use scripting environments to run commands and abuse legitimate administrative workflows (‘scripts’ / ‘abusing an automation workflow can be easier and less detectable than deploying new malware’).
- [T1078] Valid Accounts – Forgotten automation may retain valid credentials, API tokens, or scheduled tasks that can be reused for unauthorized access (‘scripts embed credentials, API tokens or configuration details that remain valid long after the script itself stops being used’).
- [T1021] Remote Services – The article notes that attackers increasingly exploit remote management tools and administrative infrastructure instead of deploying malware (‘79% of ransomware incidents involve compromised remote management tools’).
- [T1569.002] Service Execution – Scripts are used to restart services and run maintenance tasks, reflecting execution of actions through managed automation (‘Most scripts perform a single task such as checking a condition, restarting a service or collecting a metric’).
- [T1204] User Execution – AI-generated scripts and one-off scripts enter production because IT staff create and run them as part of operational workflows (‘AI-generated scripts are frequently deployed and scheduled as part of regular automation workflows’).
Indicators of Compromise
- [Organizations/Platforms] telemetry and research sources – Acronis, Spiceworks, GitGuardian, GitHub Copilot
- [Environment scale] production telemetry dataset – 100 million automated script runs, 11,500 organizations, 44 data centers
- [File/Script types] automation content – PowerShell scripts, Bash scripts
- [Security artifacts] exposed secrets in repositories – 23.8 million new secrets in public GitHub commits, and 2 more related figures about leaked secrets
- [Access material] sensitive embedded items in scripts – credentials, API tokens, configuration details