Linux Agent Attempting To Disable Security Controls
Detects AI agent processes executing commands that disable security software (Falcon sensor), clear firewall rules, or disable host-based firewalls — the highest-severity indicator of a fully rogue agent actively attempting to remove its detection surface.
Updated Jan 10, 2025 · OCI AI Security Team
Problem Statement
Disabling security sensors and firewall rules is the final step before an attacker executes their primary objective without detection. An AI agent performing these actions has fully transitioned from a tool to a threat actor, and represents a complete security control failure requiring immediate incident response escalation.
Sample Logs
{"timestamp":"2025-01-10T07:55:00Z","computer_name":"oci-worker-42","user":"root","image":"/usr/bin/systemctl","command_line":"systemctl stop falcon-sensor","parent_image":"/usr/bin/python3","parent_command_line":"python3 /opt/agent/rogue.py"}Required Fields
False Positives
- ·No legitimate AI agent use case exists for disabling security sensors or firewall rules. Any occurrence should be treated as a confirmed incident.
Tuning Guidance
Zero tolerance — all alerts should be escalated immediately to incident response. No suppression or tuning is recommended for this detection.