highexperimentalLinuxOCIT1485

Linux Agent Invoking OCI CLI With Destructive Verbs

Detects AI agent processes executing OCI CLI commands with destructive action verbs (delete, terminate, disable, purge), indicating potential misuse of cloud management tools to destroy infrastructure or data.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aitool-misuseoci-clidestructivelinuxociowasp-asi02

Problem Statement

OCI CLI delete and terminate commands can irreversibly destroy compute instances, storage buckets, and databases. An AI agent issuing these commands represents an extreme risk of infrastructure destruction, whether through prompt injection or a compromised tool specification.

Sample Logs

{"timestamp":"2025-01-10T10:22:30Z","computer_name":"oci-worker-06","user":"agent_svc","image":"/usr/local/bin/oci","command_line":"oci compute instance terminate --instance-id ocid1.instance.oc1..aaaa --force","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

parent_command_line

user

computer_name

False Positives

·Legitimate infrastructure management agents that perform scheduled cleanup of expired resources
·DevOps automation pipelines that tear down test environments using OCI CLI

Tuning Guidance

Implement a change management allowlist: only flag OCI CLI destructive commands that occur outside approved maintenance windows or from unrecognized parent processes.