mediumexperimentalLinuxOCIT1059.004

Linux Agent Writing Temporary Execution Script

Detects AI agent runtimes writing script files to temporary directories, a common pattern when an agent has been hijacked into generating and executing arbitrary code payloads.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiscript-droppertemp-pathlinuxociowasp-asi01

Problem Statement

Writing executable scripts to temporary directories is a classic dropper behavior. When an AI agent performs this action it suggests the agent has been prompted to generate and stage code for execution, bypassing normal code review and deployment controls.

Sample Logs

{"timestamp":"2025-01-10T16:05:12Z","computer_name":"oci-worker-04","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/tmp/agent_exec_7f3a2.sh","event_type":"file_create"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Legitimate Python-based build or test frameworks writing temporary helper scripts
·Data pipeline tooling that writes intermediate transformation scripts to /tmp

Tuning Guidance

Correlate file write events with subsequent execution of the same filename to increase confidence. Suppress writes by known build service accounts.