mediumexperimentalLinuxOCIT1059

Linux Agent Invoking Perl Ruby Or PHP Interpreters

Detects AI agent runtimes spawning alternative scripting interpreters (Perl, Ruby, PHP), which may indicate execution of code in a language designed to evade Python/Node-centric detection rules.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicode-executionperlrubyphplinuxociowasp-asi05

Problem Statement

Most AI agent runtimes are Python or Node.js based; there is no legitimate reason to invoke Perl, Ruby, or PHP. Use of these interpreters suggests an attacker is trying to execute scripts in a language that may evade Python/Node-focused security controls.

Sample Logs

{"timestamp":"2025-01-10T09:30:00Z","computer_name":"oci-worker-23","user":"agent_svc","image":"/usr/bin/perl","command_line":"perl -e 'use Socket;...'","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Agents that coordinate legacy scripts requiring Perl or Ruby interpreters as part of a multi-language workflow

Tuning Guidance

These interpreters have very limited legitimate use cases in agent environments. Treat all occurrences as high-priority events requiring analyst review unless explicitly whitelisted.