Having visibility into PowerShell on Windows is pretty standard feature for every modern EDR, as PowerShell has been used and abused by adversaries for over 20 years at this point. Yet, on Linux where having introspection into scripts seem even more important tracking script activity is far from a standard feature. On Windows we can thank the Antimalware Scan Interface (AMSI) for visibility into PowerShell. On Linux we don’t have the luxury of AMSI.