highexperimentalLinuxOCIT1105

Linux Agent Dropping And Launching Executable Content

Detects AI agent processes writing executable files (binaries, scripts with execute permissions) to disk, which is the dropper stage of an agent-mediated malware delivery attack.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicode-executiondropperlinuxociowasp-asi05

Problem Statement

Dropping executable binaries to disk and launching them is the most direct way to achieve persistent code execution outside the agent's Python/Node runtime. This behavior indicates the agent has been used as a dropper for traditional malware targeting the underlying OCI compute instance.

Sample Logs

{"timestamp":"2025-01-10T13:45:00Z","computer_name":"oci-worker-22","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/tmp/implant.elf","event_type":"CreateFile"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Python ctypes or cffi usage that compiles and writes shared objects (.so) as part of native extension loading
·Legitimate native binary tools extracted from Python wheels during installation

Tuning Guidance

Pair file drop events with subsequent execution events for the same filename. Alert with high confidence only when drop is followed by execution. Hash new binaries against a known-good allowlist.