Linux Agent Launching Remote Support Or Meeting Tools
Detects AI agent runtimes spawning remote support or meeting applications (Teams, Zoom, AnyDesk, TeamViewer), which may indicate the agent is attempting to establish unauthorized remote access or manipulate a human into sharing screen access.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
Remote support and meeting tools can grant an attacker visual and interactive access to the OCI instance, bypassing all API-level security controls. An AI agent launching these tools may be attempting to grant its operator (or an attacker who has compromised the agent) direct interactive access to the system.
Sample Logs
{"timestamp":"2025-01-10T10:00:00Z","computer_name":"oci-desktop-08","user":"agent_svc","image":"/usr/bin/anydesk","command_line":"anydesk --with-password attacker123","parent_image":"/usr/bin/python3"}Required Fields
False Positives
- ·Meeting coordination agents that legitimately launch Teams or Zoom for scheduled calls
Tuning Guidance
Alert specifically on remote support tools (AnyDesk, TeamViewer) as these have no legitimate AI agent use case. For video conferencing tools, review command-line arguments for pre-configured unattended access flags.