mediumexperimentalLinuxOCIT1560

Linux Agent Compressing User Data

Detects AI agent runtimes spawning archive utilities (tar, zip, gzip) which may indicate data staging prior to exfiltration, a common tool misuse pattern in AI agent attacks.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aitool-misusearchivingdata-staginglinuxociowasp-asi02

Problem Statement

Data compression is a standard pre-exfiltration step. AI agents performing compression operations on user data or sensitive directories indicates they have been redirected to collect and stage information for unauthorized transfer.

Sample Logs

{"timestamp":"2025-01-10T14:55:00Z","computer_name":"oci-worker-07","user":"agent_svc","image":"/bin/tar","command_line":"tar czf /tmp/data_exfil.tar.gz /home/agent_svc/documents/","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Data processing pipelines that compress output files as part of normal workflow
·Backup agents that archive logs or application data

Tuning Guidance

Correlate compression events with subsequent network transfers. Alert specifically when archive targets include home directories, credential paths, or cloud config files.