Linux Agent Dropping User-Facing Scripts On Desktop
Detects AI agent processes creating script files (.sh, .desktop, .url, .py) in user Desktop directories, which may represent an attempt to trick users into executing malicious scripts by placing them in a visible, trusted location.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
Placing executable scripts on a user's Desktop exploits the trust users place in their local filesystem. When a human sees a file created by an agent they trust, they are likely to execute it without scrutiny, giving the attacker the ability to run arbitrary code under the user's identity.
Sample Logs
{"timestamp":"2025-01-10T15:50:00Z","computer_name":"oci-desktop-07","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/home/operator/Desktop/run_me_urgent.sh","event_type":"CreateFile"}Required Fields
False Positives
- ·Legitimate desktop management agents that place shortcut files on the desktop as part of application deployment
Tuning Guidance
This detection has very low false positive potential in headless server environments. In desktop environments, alert on all executable file types placed on the Desktop by agent processes.