mediumexperimentalLinuxOCIT1552.007

Linux Agent Invoking Credential Enumeration Commands

Detects AI agent processes running commands associated with credential discovery and enumeration (env, printenv, id, whoami, getent), which may indicate an agent performing reconnaissance on its execution environment.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicredential-accessenumerationreconnaissancelinuxociowasp-asi03

Problem Statement

Systematic enumeration of the execution environment (identity, environment variables, group memberships) is a reconnaissance step that precedes privilege escalation or credential theft. An AI agent performing this enumeration suggests it has been redirected to gather information about its operating context.

Sample Logs

{"timestamp":"2025-01-10T10:05:40Z","computer_name":"oci-worker-14","user":"agent_svc","image":"/usr/bin/env","command_line":"env","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Agent startup routines that call whoami or id to confirm their operating identity
·Diagnostic tooling that dumps environment variables for debugging

Tuning Guidance

Suppress single occurrences at agent startup. Alert on repeated or mid-session invocations, or when multiple enumeration commands are run in sequence within a short time window.