highexperimentalLinuxOCIT1546.004

Linux Agent Writing Shell Startup Persistence

Detects AI agent processes modifying shell initialization files (.bashrc, .profile, .zshrc, .bash_profile), which can be used to execute malicious code whenever a user or automated process opens a new shell session.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-airogue-agentpersistenceshell-startupbashrclinuxociowasp-asi10

Problem Statement

Shell startup files execute automatically whenever a shell session is opened, providing a reliable persistence mechanism that triggers for both interactive and non-interactive sessions. A rogue agent that modifies these files ensures its malicious code runs every time a shell is used on the compromised OCI instance.

Sample Logs

{"timestamp":"2025-01-10T09:10:00Z","computer_name":"oci-worker-39","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/home/agent_svc/.bashrc","event_type":"ModifyFile"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Dotfile management tools that synchronize shell configuration files across systems
·Development environment setup scripts that configure shell profiles during initial setup

Tuning Guidance

Use file integrity monitoring to baseline shell startup files. Alert on any modification and diff the content to identify injected commands.