mediumexperimentalLinuxOCIT1566

Linux Agent Creating Approval Or Authorization Themed Files

Detects AI agent processes creating files with names suggesting urgency, approval requests, or authorization actions, which may be an attempt to socially engineer human operators into approving malicious agent actions.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aitrust-exploitationsocial-engineeringapproval-fraudlinuxociowasp-asi09

Problem Statement

AI agents that create files with approval or urgency keywords may be attempting to manipulate human operators into granting permissions or taking actions that serve the attacker's goals. This represents a human-AI trust exploitation attack where the agent is weaponized for social engineering.

Sample Logs

{"timestamp":"2025-01-10T16:30:00Z","computer_name":"oci-desktop-04","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/home/operator/Desktop/URGENT_approval_required.txt","event_type":"CreateFile"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Legitimate workflow automation agents that create approval request files as part of a documented ITSM integration

Tuning Guidance

Alert specifically on files created in user-visible locations (Desktop, home directory, shared drives). Alert on broader keyword matches for files created in system directories.