Detection Knowledge Base

Detects execution of PowerShell with base64-encoded commands, commonly used by attackers to obfuscate malicious payloads.

Detects attempts to dump LSASS process memory for credential harvesting using common tools.

Detects when overly permissive IAM policies (AdministratorAccess, FullAccess) are attached to roles or users.

Detects potential prompt injection attacks targeting LLM-backed API endpoints by identifying known injection patterns in request bodies.

Detects remote WMI execution commonly used for lateral movement, persistence, and command execution across network hosts.

Detects bulk GetObject requests against OCI Object Storage buckets, indicating potential data exfiltration via the OCI API or console.

Detects creation, modification, or deletion of OCI IAM policies by principals that are not designated IAM administrators.

Detects creation of new API keys for existing IAM users, a common persistence mechanism after initial compromise.

Detects OCI console sign-in events originating from a country not previously seen for the user, or from known Tor exit node IP ranges.

Detects a principal accessing resources in compartments outside their normal operational scope, indicating potential lateral movement or policy misconfiguration exploitation.

Detects AI agent runtimes (Python, Node) spawning interactive shell interpreters, a strong indicator of agent goal hijacking, prompt injection leading to code execution, or unsafe tool invocation.

Detects AI agent processes establishing network connections to external destinations outside the expected OCI network space, which may indicate exfiltration, C2 communication, or prompt-injection-driven outbound calls.

Detects AI agent processes reading OCI CLI configuration files or API key material, which may indicate credential harvesting driven by goal hijacking or prompt injection.

Detects AI agent runtimes writing script files to temporary directories, a common pattern when an agent has been hijacked into generating and executing arbitrary code payloads.

Detects AI agent processes accessing browser profile directories or session storage files, which may indicate credential or token theft driven by a hijacked agent goal.

Detects AI agent runtimes spawning network utility tools such as curl, wget, or netcat, indicating potential data exfiltration, payload download, or reverse shell establishment driven by tool misuse or prompt injection.

Detects AI agent processes executing OCI CLI commands with destructive action verbs (delete, terminate, disable, purge), indicating potential misuse of cloud management tools to destroy infrastructure or data.

Detects AI agent runtimes spawning archive utilities (tar, zip, gzip) which may indicate data staging prior to exfiltration, a common tool misuse pattern in AI agent attacks.

Detects AI agent processes writing to /etc/hosts, which could redirect DNS resolution to attacker-controlled infrastructure or disable security tool connectivity.

Detects AI agent runtimes spawning SSH or SFTP processes, which may indicate lateral movement, unauthorized remote code execution, or data exfiltration via encrypted channels.

Detects AI agent processes reading OCI session tokens, security credentials, or API key files, indicating potential identity theft or privilege escalation driven by an agent operating outside its authorized scope.

Detects AI agent processes accessing SSH private key files, which could enable unauthorized lateral movement to other hosts in the OCI environment.

Detects AI agent runtimes executing sudo or su to escalate privileges, a strong indicator that the agent is attempting to gain root access beyond its intended operational scope.

Detects AI agent processes accessing credential files for cloud providers other than OCI (AWS, Azure, GCP), which may indicate multi-cloud credential harvesting.

Detects AI agent processes running commands associated with credential discovery and enumeration (env, printenv, id, whoami, getent), which may indicate an agent performing reconnaissance on its execution environment.

Detects AI agent processes establishing network connections to package repository hosts other than approved mirrors, indicating potential supply chain compromise via installation of malicious packages.

Detects AI agent processes writing files to known tool plugin or MCP (Model Context Protocol) directories, which may indicate unauthorized modification of the agent's tool set or injection of malicious tool definitions.

Detects AI agent activity originating from Python site-packages, node_modules, or temporary directories, indicating potential execution of recently installed or dropped malicious packages.

Detects AI agent processes connecting to MCP server ports or tool endpoint addresses that are not in the approved configuration, which may indicate tool hijacking or connection to a rogue MCP server.

Detects AI agent processes modifying Python or Node.js dependency configuration files (requirements.txt, package.json, pip.conf), which could be used to introduce malicious dependencies or redirect package sources.

Detects AI agent runtimes spawning processes from temporary or shared memory paths (/tmp, /dev/shm), indicating execution of dynamically dropped payloads, a hallmark of fileless malware or prompt-injection-driven code execution.

Detects AI agent runtimes passing inline code (-c flag) to shell or interpreter commands, which is commonly used to execute injected or dynamically generated payloads without writing files to disk.

Detects AI agent processes writing executable files (binaries, scripts with execute permissions) to disk, which is the dropper stage of an agent-mediated malware delivery attack.

Detects AI agent runtimes spawning alternative scripting interpreters (Perl, Ruby, PHP), which may indicate execution of code in a language designed to evade Python/Node-centric detection rules.

Detects AI agent processes executing scripts located in user download directories, which may indicate execution of malicious content retrieved from the internet as part of a hijacked agent task.

Detects AI agent processes writing to local vector store or memory database files, which may indicate an agent poisoning its own context memory to influence future behavior.

Detects AI agent processes modifying prompt template files or system instruction configurations, which represents a direct attempt to alter the agent's core behavioral guidelines.

Detects AI agent processes reading files from download directories that may contain adversarial content designed to poison the agent's context window via indirect prompt injection.

Detects AI agent processes directly modifying vector database files used for RAG (Retrieval Augmented Generation) memory, which may indicate deliberate poisoning of the agent's knowledge retrieval layer.

Detects AI agent processes writing fetched web content directly into memory or context store directories, which may indicate content containing indirect prompt injection instructions is being persisted in agent memory.

Detects AI agent processes establishing connections to localhost on common tooling and inter-agent communication ports, which may indicate unmonitored agent-to-tool or agent-to-agent communication channels.

Detects AI agent processes binding to network ports as a listener, which may indicate the agent has established an unauthorized service endpoint for receiving commands or relaying inter-agent communication.

Detects AI agent processes connecting to ports commonly used for inter-agent or peer-to-peer communication (including Docker daemon ports), which may indicate unauthorized agent orchestration or container escape attempts.

Detects AI agent processes creating Unix socket files or named pipes that could be used as unmonitored inter-agent communication channels, bypassing network-layer security controls.

Detects AI agent runtimes spawning message queue or broker client tools (kafka, rabbitmq, nats, mqtt, redis-cli), which may indicate unauthorized use of messaging infrastructure for inter-agent coordination or data exfiltration.

Baseline seed rule to detect AI agent runtimes spawning an unusual number of child processes in a short time window, which may indicate runaway agent loops, denial of service behavior, or cascading failure conditions.

Baseline seed rule to detect AI agent processes making high-frequency repeated external network connections, which may indicate beaconing behavior, an infinite retry loop, or API hammering that causes cascading service failures.

Detects AI agent runtimes repeatedly spawning browser or desktop application processes, indicating a potential runaway automation loop that may exhaust system resources or trigger cascading UI-automation failures.

Baseline seed rule to detect AI agent processes writing an unusually large number of files in a short time window, which may indicate a runaway file generation loop, ransomware-like behavior, or uncontrolled data staging.

Detects AI agent Python or Node processes where both the parent and child process are the same interpreter binary, indicating recursive self-spawning that can rapidly exhaust process table limits and trigger cascading system failures.

Detects AI agent processes creating files with names suggesting urgency, approval requests, or authorization actions, which may be an attempt to socially engineer human operators into approving malicious agent actions.

Detects AI agent runtimes spawning email or messaging applications (Thunderbird, Slack, Teams, Zoom), which may indicate the agent is attempting to communicate directly with humans to manipulate trust or request unauthorized approvals.

Detects AI agent processes launching browsers with URLs pointing to OCI console, identity, or authentication pages, which may indicate the agent is attempting to perform unauthorized actions via the OCI web console.

Detects AI agent processes creating script files (.sh, .desktop, .url, .py) in user Desktop directories, which may represent an attempt to trick users into executing malicious scripts by placing them in a visible, trusted location.

Detects AI agent runtimes spawning remote support or meeting applications (Teams, Zoom, AnyDesk, TeamViewer), which may indicate the agent is attempting to establish unauthorized remote access or manipulate a human into sharing screen access.

Detects AI agent processes writing files to persistence-related paths (cron directories, systemd unit directories, autostart), indicating an attempt to establish persistent code execution that survives reboots and agent restarts.

Detects AI agent processes modifying shell initialization files (.bashrc, .profile, .zshrc, .bash_profile), which can be used to execute malicious code whenever a user or automated process opens a new shell session.

Baseline seed rule to detect AI agent processes making periodic external connections at regular intervals, which is the characteristic pattern of a C2 beacon from a rogue agent maintaining contact with attacker infrastructure.

Detects AI agent processes writing executable files (.sh, .py, .bin, .service) to hidden directories or common persistence staging paths, which indicates the agent is replicating itself to establish alternative execution points.

Detects AI agent processes executing commands that disable security software (Falcon sensor), clear firewall rules, or disable host-based firewalls, the highest-severity indicator of a fully rogue agent actively attempting to remove its detection surface.

Detects LLM service processes spawning shell interpreters (bash, sh, zsh). Under normal operation an LLM runtime should never directly fork an interactive shell. This pattern is a strong indicator of prompt injection achieving command execution.

Detects an LLM service process spawning the OCI CLI binary. This indicates that a prompt may have caused the model to issue cloud control-plane commands, enabling resource enumeration, data access, or privilege abuse via the OCI API.

Detects LLM service processes accessing files under temporary or upload directories. Attackers can plant malicious content in these paths to deliver indirect prompt injections via document ingestion.

Detects LLM service processes making outbound network connections to external destinations outside the OCI and private network baseline. A prompt injection may instruct the model to exfiltrate data or beacon to an attacker-controlled server.

Detects LLM service processes writing script files (.sh, .py, .pl) to temporary directories. This pattern suggests the model output or an injected prompt caused the service to stage executable code for later execution.

Detects LLM service processes reading OCI configuration files or API key material. Access to these files from an LLM runtime may indicate credential harvesting triggered by a prompt injection or misconfigured model tool access.

Detects LLM service processes accessing SSH private key files. Reading private key material from an LLM runtime indicates potential credential theft that could enable lateral movement across infrastructure.

Detects LLM service processes reading .env or .netrc files that commonly contain application secrets, API keys, and passwords. This access pattern suggests the model or an injected prompt is attempting to harvest secrets.

Detects LLM service processes spawning archive utilities (tar, zip, gzip) targeting application or home directories. This behaviour suggests data staging prior to exfiltration of sensitive model data or credentials.

Detects LLM service processes connecting to object storage endpoints (S3, Azure Blob, GCS) outside the OCI baseline. This pattern indicates potential exfiltration of sensitive model outputs, training data, or credentials to external cloud storage.

Detects pip or Python processes on an LLM host connecting to package repositories other than the approved PyPI or OCI mirrors. Installing packages from unapproved sources can introduce malicious dependencies into the LLM runtime.

Detects npm, yarn, or Node processes connecting to package registries other than the approved npm registry or OCI mirrors. Unapproved registries may serve malicious packages targeting LLM toolchain components.

Detects LLM service processes writing files to plugin, extension, MCP, or tools directories. Runtime modification of plugin paths suggests supply chain tampering or a prompt-injection-driven persistence mechanism.

Detects LLM runtime processes (Python, ollama, vllm) executing with command-line arguments referencing temporary directories for model loading. Loading model weights from /tmp or /dev/shm suggests a staged supply chain attack replacing legitimate model files.

Detects LLM service processes modifying Python or Node package configuration files (requirements.txt, pyproject.toml, package.json, etc.). Runtime modification of dependency configurations can redirect package resolution to attacker-controlled sources.

Detects LLM service processes modifying training dataset files (JSONL, Parquet, CSV, Arrow) in training or fine-tuning directories. Modification of training data at runtime is a strong indicator of data poisoning.

Detects LLM service processes writing to model weight files (.bin, .safetensors, .gguf, .pt). Model weight modification at runtime is a critical indicator of model poisoning or backdoor injection.

Detects non-LLM system utilities (sed, awk, Python, Perl) writing to vector database or embedding store directories. This indicates out-of-band modification of the retrieval layer, a key data poisoning vector for RAG-based systems.

Detects the OCI CLI being spawned from an LLM service process to download data from object storage to training or dataset paths. This pattern indicates an attempt to replace or supplement training data with potentially poisoned content from external storage.

Detects file copy, move, or rsync operations replacing training or embedding datasets with files sourced from temporary or user home directories. This is a classic pattern for staged data poisoning attacks.

Detects LLM service processes spawning bash or sh with an inline -c command argument. This indicates model-generated or injected shell commands are being executed directly, representing a critical code injection risk.

Detects LLM service processes spawning SQL clients (psql, mysql, sqlite3). SQL clients launched from model output suggest the service is executing model-generated queries without proper sanitisation, risking SQL injection via LLM output.

Detects LLM service processes writing PHP, JavaScript, or HTML files to web server root directories. This indicates the model may be generating and deploying web shells or malicious web content triggered by prompt injection.

Detects LLM service processes spawning curl or wget. These download utilities invoked from a model runtime suggest the LLM output or an injected prompt is directing network requests, potentially for C2 callback, payload download, or data exfiltration.

Detects LLM service processes writing files to cron directories, /usr/local/bin/, or systemd unit paths. Writing to these persistence locations from an LLM runtime indicates that model output is being used to establish persistent code execution.

Detects LLM service processes spawning the OCI CLI with IAM sub-commands (iam, policy, group, user, dynamic-group). An LLM invoking identity operations suggests excessive agency, where the model has been granted or has acquired the ability to modify cloud access controls.

Detects LLM service processes spawning sudo or su to elevate privileges. Privilege escalation from an LLM runtime is a high-confidence indicator of excessive agency or a successful prompt injection achieving privilege escalation.

Detects LLM service processes writing to systemd unit directories (/etc/systemd/system/, /lib/systemd/system/). Modifying service configurations enables persistent code execution and service manipulation, representing unacceptable excessive agency.

Detects LLM service processes reading Kubernetes kubeconfig files or OCI Kubernetes Engine (OKE) configuration. Access to cluster credentials enables container orchestration control beyond the intended LLM service scope.

Detects LLM service processes writing to SSH authorized_keys files. This is a critical indicator — adding attacker-controlled public keys enables persistent, password-less SSH access to the host, representing the most severe excessive agency outcome.

Detects LLM service processes reading system prompt, instruction template, or guardrail configuration files. While reads during initialisation are expected, access during active request processing may indicate prompt extraction attempts.

Detects file copy or move operations targeting system prompt or guardrail files as sources, with destinations in temporary or web-accessible directories. This indicates staged exfiltration of confidential prompt material.

Detects LLM service processes writing files containing 'prompt', 'system', or 'guardrail' in their name to web server root directories. This makes confidential prompt material directly accessible via HTTP.

Detects LLM service processes using the OCI CLI to upload prompt, system, or policy files to object storage. This represents exfiltration of confidential prompt material to cloud storage that may be accessible to unauthorised parties.

Detects LLM service processes spawning text utilities (cat, grep, sed) that reference both secret files and prompt configuration files in the same command, indicating combined credential and prompt material harvesting.

Detects LLM service processes writing to vector database files (FAISS, SQLite, Parquet, JSONL) in vector or embedding directories. Direct modification of vector stores can inject poisoned embeddings that corrupt RAG retrieval results.

Detects curl, wget, or Python processes downloading files with embedding or vector index extensions from external hosts not in the OCI baseline. This pattern indicates replacement of the vector store with externally sourced, potentially poisoned content.

Detects file copy, move, or rsync operations replacing vector or embedding index files with content sourced from temporary directories. This staged replacement pattern indicates an in-flight vector store poisoning attack.

Detects LLM service processes accessing cache, memory, retrieval, or RAG directories at unusual times or with unusual frequency. Anomalous access to these components may indicate probing of the retrieval layer for vulnerability assessment or data extraction.

Detects LLM service processes connecting to external vector database or search platforms (Pinecone, Weaviate, Qdrant, Milvus, Elasticsearch) outside the approved OCI baseline. Unapproved connections may indicate data exfiltration or use of attacker-controlled vector stores.

Detects LLM service processes writing response or answer cache files to paths outside the approved application directories. Caching model responses in unexpected locations may indicate manipulation of cached answers to serve attacker-controlled misinformation.

Detects LLM service processes writing to moderation, policy, safety rule, or response filter files. Runtime modification of these controls can disable safety guardrails, enabling the model to produce harmful or misleading outputs.

Detects LLM service processes spawning curl or wget during request handling. Fetching external content for response enrichment introduces an uncontrolled information source that may inject false, attacker-controlled, or outdated facts into model responses.

Detects LLM service processes writing to knowledge base, corpus, or RAG document index directories. Replacement of the retrieval corpus is a direct mechanism for injecting misinformation into RAG-grounded LLM responses.

Detects LLM service processes using the OCI CLI to upload response, answer, summary, or report files to object storage. Publishing model-generated content to shared storage may distribute misinformation or attacker-influenced outputs at scale.

Detects unusually high rates of child process creation from LLM service processes. Excessive process spawning may indicate an unbounded consumption attack where the model is being directed to execute repeated tasks, consuming host resources.

Detects high rates of outbound network connections from LLM service processes. A flood of connections may indicate the model is executing repeated external API calls, data exfiltration loops, or C2 beaconing triggered by an unbounded consumption attack.

Detects high rates of file writes from LLM service processes to cache or temporary directories. Rapid writes may indicate an unbounded consumption attack that is flooding the disk, potentially causing storage exhaustion or degrading host performance.

Detects high rates of OCI CLI invocations from LLM service processes within a short time window. Repeated OCI CLI calls may indicate the model is executing unbounded cloud API operations, consuming OCI API quotas or generating unexpected cloud costs.

Detects an LLM service process that is both the parent and child in a process creation event, indicating recursive self-spawning. This fork-bomb pattern can exhaust process table limits and system resources, causing a complete host denial of service.