UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

68 lines (67 loc) 2.09 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
title: Process Running from Deleted Executable id: 2c7d8e3f-4b1a-5c9d-8f2e-3a4b5c6d7e8f status: stable description: Detects processes that are executing from a binary that no longer exists on disk. This is a strong indicator of active attacker presence a common technique is to upload malware, execute it, then delete the file from disk to hinder forensic analysis. The process continues running from kernel page cache. references: - https://attack.mitre.org/techniques/T1070/004/ - https://attack.mitre.org/techniques/T1059/ author: forensics-complete date: 2025-11-14 modified: 2025-11-14 tags: - attack.defense_evasion - attack.t1070.004 - attack.execution - attack.t1059 logsource: product: linux category: process_creation detection: selection: process_executable|endswith: ' (deleted)' filter_expected: # Some software intentionally uses this pattern for self-updating process_name: - 'update-agent' - 'apt' - 'dpkg' condition: selection and not filter_expected falsepositives: - Software update processes that replace their own binary while running - Package managers performing in-place upgrades - Some container runtimes during image layer operations level: critical fields: - process_pid - process_name - process_executable - process_cmdline - process_parent_name - user - timestamp --- # Detection Logic Note # # Direct detection command: # # ls -la /proc/*/exe 2>/dev/null | grep '(deleted)' # # To recover the deleted binary from kernel page cache (do this FIRST): # # PID=<pid of deleted process> # cp /proc/$PID/exe /workspace/evidence/deleted-binary-$PID # sha256sum /workspace/evidence/deleted-binary-$PID # # To examine the process before any containment action: # # cat /proc/$PID/cmdline | tr '\0' ' ' # cat /proc/$PID/environ | tr '\0' '\n' # ls -la /proc/$PID/fd/ # ss -tunap | grep $PID # # See rules/red-flag-escalation.md Rule 2 for escalation requirements. # See rules/non-destructive.md Rule 3 — do not kill this process # before capturing evidence from /proc/$PID.