mediumexperimentalLinuxOCIT1059.004

Linux Agent Running User Downloaded Scripts

Detects AI agent processes executing scripts located in user download directories, which may indicate execution of malicious content retrieved from the internet as part of a hijacked agent task.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aicode-executiondownloadslinuxociowasp-asi05

Problem Statement

Executing downloaded scripts without verification is a fundamental security risk. An AI agent that downloads and executes scripts may have been directed via prompt injection to retrieve and run attacker-controlled code from the internet.

Sample Logs

{"timestamp":"2025-01-10T15:00:00Z","computer_name":"oci-desktop-02","user":"agent_svc","image":"/home/agent_svc/Downloads/install.sh","command_line":"/home/agent_svc/Downloads/install.sh"}

Required Fields

image

command_line

user

computer_name

False Positives

·Users who legitimately download and run installation scripts as part of software setup tasks

Tuning Guidance

Alert when the downloading agent process and executing agent process are the same (download followed by execute within a short window). Suppress known-safe installer scripts by hash.