GenAI Process Accessing Sensitive Files

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
 11shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
 12tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
 13(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.file*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "GenAI Process Accessing Sensitive Files"
 20note = """## Triage and analysis
 21
 22### Investigating GenAI Process Accessing Sensitive Files
 23
 24This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
 25
 26### Possible investigation steps
 27
 28- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
 29- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
 30- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
 31- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
 32- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
 33- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
 34- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
 35- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
 36
 37### False positive analysis
 38
 39- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
 40- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
 41
 42### Response and remediation
 43
 44- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
 45- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
 46- Investigate the document access patterns to determine the scope of potential data exfiltration.
 47- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
 48"""
 49references = [
 50    "https://atlas.mitre.org/techniques/AML.T0085",
 51    "https://atlas.mitre.org/techniques/AML.T0085.001",
 52    "https://atlas.mitre.org/techniques/AML.T0055",
 53    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
 54    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 55    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
 56]
 57risk_score = 73
 58rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a"
 59severity = "high"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Linux",
 63    "OS: macOS",
 64    "OS: Windows",
 65    "Use Case: Threat Detection",
 66    "Tactic: Collection",
 67    "Tactic: Credential Access",
 68    "Data Source: Elastic Defend",
 69    "Resources: Investigation Guide",
 70    "Domain: LLM",
 71    "Mitre Atlas: T0085",
 72    "Mitre Atlas: T0085.001",
 73    "Mitre Atlas: T0055",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
 80
 81  // GenAI process 
 82    process.name in (
 83      "ollama.exe", "ollama", "Ollama",
 84      "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
 85      "lmstudio.exe", "lmstudio", "LM Studio",
 86      "claude.exe", "claude", "Claude",
 87      "cursor.exe", "cursor", "Cursor",
 88      "copilot.exe", "copilot", "Copilot",
 89      "codex.exe", "codex",
 90      "Jan", "jan.exe", "jan",
 91      "gpt4all.exe", "gpt4all", "GPT4All",
 92      "gemini-cli.exe", "gemini-cli",
 93      "genaiscript.exe", "genaiscript",
 94      "grok.exe", "grok",
 95      "qwen.exe", "qwen",
 96      "koboldcpp.exe", "koboldcpp", "KoboldCpp",
 97      "llama-server", "llama-cli"
 98    ) and
 99
100  // Sensitive file paths
101  (
102    // Persistence via Shell configs
103    file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
104
105    // Credentials In Files 
106    file.name like~ 
107                 ("key?.db", 
108                  "logins.json", 
109                  "Login Data", 
110                  "Local State",
111                  "signons.sqlite",
112                  "Cookies", 
113                  "cookies.sqlite",
114                  "Cookies.binarycookies", 
115                  "login.keychain-db", 
116                  "System.keychain", 
117                  "credentials.db", 
118                  "credentials", 
119                  "access_tokens.db", 
120                  "accessTokens.json", 
121                  "azureProfile.json",
122                  "RDCMan.settings", 
123                  "known_hosts", 
124                  "KeePass.config.xml", 
125                  "Unattended.xml")
126  )
127'''
128
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132[[rule.threat.technique]]
133id = "T1555"
134name = "Credentials from Password Stores"
135reference = "https://attack.mitre.org/techniques/T1555/"
136
137
138[rule.threat.tactic]
139id = "TA0006"
140name = "Credential Access"
141reference = "https://attack.mitre.org/tactics/TA0006/"
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1005"
146name = "Data from Local System"
147reference = "https://attack.mitre.org/techniques/T1005/"
148
149
150[rule.threat.tactic]
151id = "TA0009"
152name = "Collection"
153reference = "https://attack.mitre.org/tactics/TA0009/"