GenAI Process Connection to Unusual Domain

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt
 11injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to
 12attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers,
 13download malicious payloads, or transmit harvested credentials and documents.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.network*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "GenAI Process Connection to Unusual Domain"
 20note = """## Triage and analysis
 21
 22### Investigating GenAI Process Connection to Unusual Domain
 23
 24GenAI tools with network access can be weaponized to contact attacker infrastructure for C2, data exfiltration, or payload retrieval. Compromised MCP servers, malicious plugins, or prompt injection attacks can redirect AI agents to connect to arbitrary domains. While legitimate GenAI tools connect to vendor APIs and CDNs, connections to unusual domains may indicate exploitation.
 25
 26### Possible investigation steps
 27
 28- Review the destination domain to determine if it's a legitimate GenAI service, CDN, package registry, or potentially malicious infrastructure.
 29- Investigate the GenAI process command line and configuration to identify what triggered the connection (plugin, MCP server, user prompt).
 30- Check if the domain was recently registered, uses a suspicious TLD, or has a low reputation score in threat intelligence feeds.
 31- Review the timing and context of the connection to determine if it correlates with user activity or was automated.
 32- Examine network traffic to and from the domain to identify the nature of the communication (API calls, file downloads, data exfiltration).
 33- Check for other hosts in the environment connecting to the same domain to determine if this is an isolated incident.
 34- Investigate whether the GenAI tool's configuration files were recently modified to add new MCP servers or plugins.
 35- Correlate with file events to see if the GenAI tool downloaded or created files around the same time as the connection.
 36
 37### False positive analysis
 38
 39- GenAI tools may connect to new domains as vendors update their infrastructure, CDNs, or API endpoints.
 40- Package managers (npm, pip) used by MCP servers may connect to package registries for dependency resolution.
 41- Legitimate MCP servers and AI plugins connect to their respective backend services.
 42- Developer workflows testing new AI integrations or MCP servers will naturally trigger alerts for novel domain connections.
 43
 44### Response and remediation
 45
 46- If the domain is confirmed malicious, block it at the network level and investigate the source of the compromise.
 47- Review the GenAI tool's configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.
 48- Investigate any data that may have been sent to the suspicious domain and assess the potential for data exfiltration.
 49- Review and rotate any API keys, tokens, or credentials used by the GenAI tool.
 50- Update detection rules to monitor the identified domain across all hosts in the environment.
 51"""
 52references = [
 53    "https://atlas.mitre.org/techniques/AML.T0086",
 54    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
 55    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 56    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
 57]
 58risk_score = 47
 59rule_id = "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: macOS",
 64    "Use Case: Threat Detection",
 65    "Tactic: Command and Control",
 66    "Data Source: Elastic Defend",
 67    "Resources: Investigation Guide",
 68    "Domain: LLM",
 69    "Mitre Atlas: T0086",
 70]
 71timestamp_override = "event.ingested"
 72type = "new_terms"
 73
 74query = '''
 75event.category:network and host.os.type:macos and
 76process.name:(
 77    Claude or "Claude Helper" or "Claude Helper (Plugin)" or Copilot or Cursor or
 78    "Cursor Helper" or "Cursor Helper (Plugin)" or GPT4All or Jan or "Jan Helper" or
 79    KoboldCpp or "LM Studio" or Ollama or Windsurf or "Windsurf Helper" or
 80    "Windsurf Helper (Plugin)" or bunx or claude or codex or copilot or cursor or deno or
 81    gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or
 82    llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn
 83) and destination.domain:(* and not (
 84    aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or
 85    gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or
 86    ollama.com or openai.com or *.aka.ms or *.akamaized.net or *.amazonaws.com or
 87    *.amplitude.com or *.anthropic.com or *.atlassian.com or *.aws.amazon.com or
 88    *.azure.com or *.cdn.cloudflare.net or *.cloudflare-dns.com or *.cloudflare.com or
 89    *.cloudflarestorage.com or *.codeium.com or *.cursor.com or *.cursor.sh or
 90    *.datadoghq.com or *.elastic-cloud.com or *.elastic.co or *.exp-tas.com or
 91    *.gemini.google.com or *.generativelanguage.googleapis.com or *.github.com or
 92    *.githubcopilot.com or *.githubusercontent.com or *.gitkraken.com or *.gitkraken.dev or
 93    *.google.com or *.googleapis.com or *.gpt4all.io or *.grok.x.ai or *.hf.co or
 94    *.honeycomb.io or *.huggingface.co or *.intercom.io or *.jan.ai or *.launchdarkly.com or
 95    *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or
 96    *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or
 97    *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or
 98    *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com
 99))
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1071"
107name = "Application Layer Protocol"
108reference = "https://attack.mitre.org/techniques/T1071/"
109[[rule.threat.technique.subtechnique]]
110id = "T1071.001"
111name = "Web Protocols"
112reference = "https://attack.mitre.org/techniques/T1071/001/"
113
114
115
116[rule.threat.tactic]
117id = "TA0011"
118name = "Command and Control"
119reference = "https://attack.mitre.org/tactics/TA0011/"
120
121[rule.new_terms]
122field = "new_terms_fields"
123value = ["destination.domain"]
124[[rule.new_terms.history_window_start]]
125field = "history_window_start"
126value = "now-7d"