highexperimentalLinuxOCIT1059.004

Linux Agent Executing From Temporary Or Shared Memory Paths

Detects AI agent runtimes spawning processes from temporary or shared memory paths (/tmp, /dev/shm), indicating execution of dynamically dropped payloads — a hallmark of fileless malware or prompt-injection-driven code execution.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicode-executiontemp-pathfilelesslinuxociowasp-asi05

Problem Statement

Execution from /tmp or /dev/shm is the defining behavior of a dropper attack. When an AI agent spawns processes from these paths it indicates the agent has been directed to download, stage, and execute an unauthorized payload — a critical security event requiring immediate investigation.

Sample Logs

{"timestamp":"2025-01-10T16:20:00Z","computer_name":"oci-worker-20","user":"agent_svc","image":"/tmp/agent_payload_x7k2","command_line":"/tmp/agent_payload_x7k2","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Test frameworks that compile and execute temporary test binaries in /tmp
·Some legitimate agent frameworks that extract bundled native extensions to /tmp at startup

Tuning Guidance

Use noexec mount options on /tmp and /dev/shm where possible to prevent execution. Alert on executions from these paths in environments where noexec cannot be enforced.