GenAI Process Accessing Sensitive Files
Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/12/04"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2026/04/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
11shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
12tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
13(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are
14not yet implemented.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.file*"]
18language = "eql"
19license = "Elastic License v2"
20name = "GenAI Process Accessing Sensitive Files"
21note = """## Triage and analysis
22
23### Investigating GenAI Process Accessing Sensitive Files
24
25This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
26
27### Possible investigation steps
28
29- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
30- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
31- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
32- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
33- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
34- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
35- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
36- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
37
38### False positive analysis
39
40- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
41- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
42
43### Response and remediation
44
45- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
46- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
47- Investigate the document access patterns to determine the scope of potential data exfiltration.
48- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
49"""
50references = [
51 "https://atlas.mitre.org/techniques/AML.T0085",
52 "https://atlas.mitre.org/techniques/AML.T0085.001",
53 "https://atlas.mitre.org/techniques/AML.T0055",
54 "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
55 "https://www.elastic.co/security-labs/elastic-advances-llm-security",
56 "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
57]
58risk_score = 73
59rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a"
60severity = "high"
61tags = [
62 "Domain: Endpoint",
63 "OS: Linux",
64 "OS: macOS",
65 "OS: Windows",
66 "Use Case: Threat Detection",
67 "Tactic: Collection",
68 "Tactic: Credential Access",
69 "Data Source: Elastic Defend",
70 "Resources: Investigation Guide",
71 "Domain: LLM",
72 "Mitre Atlas: T0085",
73 "Mitre Atlas: T0085.001",
74 "Mitre Atlas: T0055",
75]
76timestamp_override = "event.ingested"
77type = "eql"
78
79query = '''
80file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
81
82 // GenAI process
83 (
84 process.name in~ (
85 "ollama.exe", "ollama",
86 "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
87 "lmstudio.exe", "lmstudio", "LM Studio",
88 "claude.exe", "claude",
89 "cursor.exe", "cursor",
90 "copilot.exe", "copilot",
91 "codex.exe", "codex",
92 "jan.exe", "jan",
93 "gpt4all.exe", "gpt4all",
94 "gemini-cli.exe", "gemini-cli", "gemini.exe",
95 "genaiscript.exe", "genaiscript",
96 "grok.exe", "grok",
97 "qwen.exe", "qwen",
98 "koboldcpp.exe", "koboldcpp",
99 "llama-server", "llama-cli",
100 "windsurf.exe", "windsurf",
101 "zed.exe", "zed",
102 "opencode.exe", "opencode",
103 "goose.exe", "goose"
104 ) or
105 // OpenClaw/Moltbot/Clawdbot family via Node.js
106 (process.name in~ ("node", "node.exe") and
107 process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*",
108 "*nemoclaw*", "*nanoclaw*", "*picoclaw*"))
109 ) and
110
111 // Sensitive file paths
112 (
113 // Persistence via Shell configs
114 file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
115
116 // Credentials In Files
117 file.name like~
118 ("key?.db",
119 "logins.json",
120 "Login Data",
121 "Local State",
122 "signons.sqlite",
123 "Cookies",
124 "cookies.sqlite",
125 "Cookies.binarycookies",
126 "login.keychain-db",
127 "System.keychain",
128 "credentials.db",
129 "credentials",
130 "access_tokens.db",
131 "accessTokens.json",
132 "azureProfile.json",
133 "RDCMan.settings",
134 "known_hosts",
135 "KeePass.config.xml",
136 "Unattended.xml")
137 ) and not (
138 host.os.type == "windows" and
139 process.name : ("claude.exe", "Claude") and
140 file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
141 "?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
142 )
143'''
144
145
146[[rule.threat]]
147framework = "MITRE ATT&CK"
148[[rule.threat.technique]]
149id = "T1552"
150name = "Unsecured Credentials"
151reference = "https://attack.mitre.org/techniques/T1552/"
152[[rule.threat.technique.subtechnique]]
153id = "T1552.001"
154name = "Credentials In Files"
155reference = "https://attack.mitre.org/techniques/T1552/001/"
156
157
158[[rule.threat.technique]]
159id = "T1555"
160name = "Credentials from Password Stores"
161reference = "https://attack.mitre.org/techniques/T1555/"
162
163
164[rule.threat.tactic]
165id = "TA0006"
166name = "Credential Access"
167reference = "https://attack.mitre.org/tactics/TA0006/"
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170[[rule.threat.technique]]
171id = "T1005"
172name = "Data from Local System"
173reference = "https://attack.mitre.org/techniques/T1005/"
174
175
176[rule.threat.tactic]
177id = "TA0009"
178name = "Collection"
179reference = "https://attack.mitre.org/tactics/TA0009/"
180[[rule.threat]]
181framework = "MITRE ATT&CK"
182[[rule.threat.technique]]
183id = "T1037"
184name = "Boot or Logon Initialization Scripts"
185reference = "https://attack.mitre.org/techniques/T1037/"
186[[rule.threat.technique.subtechnique]]
187id = "T1037.004"
188name = "RC Scripts"
189reference = "https://attack.mitre.org/techniques/T1037/004/"
190
191
192
193[rule.threat.tactic]
194id = "TA0003"
195name = "Persistence"
196reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Investigating GenAI Process Accessing Sensitive Files
This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
Possible investigation steps
- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
False positive analysis
- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
Response and remediation
- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
- Investigate the document access patterns to determine the scope of potential data exfiltration.
- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
References
-
The Model Context Protocol (MCP) standardizes how large language models (LLMs) and their autonomous agents interact with external services and sensitive data. While this interconnectivity drives utility, it also introduces novel security vulnerabilities. The most critical threat is characterized by the Lethal Trifecta: the concurrent presence of access to private data, exposure to untrusted content, and the ability to externally communicate. This article details how this trifecta enables data flow attacks, such as those exploiting calendar invites and prompt injection, leading to unauthorized data exfiltration. We then examine a principled architectural defense: the implementation of an agentic firewall, such as the open-source Open Edison gateway, designed to monitor and interrupt risky tool call chains based on the context window's data lineage.
Read More -
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Read More -
This blog post explores a bug, (CVE-2025-64755), I found while trying to find a command execution primitive within Claude Code to demonstrate the risks of web-hosted MCP to a client.
Read More
Related rules
- Credential Access via TruffleHog Execution
- GenAI Process Compiling or Generating Executables
- GenAI Process Performing Encoding/Chunking Prior to Network Activity
- Potential Secret Scanning via Gitleaks
- Execution via OpenClaw Agent