GenAI Process Accessing Sensitive Files

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
 11shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
 12tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
 13(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are
 14not yet implemented.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.file*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "GenAI Process Accessing Sensitive Files"
 21note = """## Triage and analysis
 22
 23### Investigating GenAI Process Accessing Sensitive Files
 24
 25This rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.
 26
 27### Possible investigation steps
 28
 29- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.
 30- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
 31- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.
 32- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.
 33- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.
 34- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.
 35- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.
 36- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.
 37
 38### False positive analysis
 39
 40- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.
 41- Development workflows that use GenAI tools for code analysis may occasionally access credential files.
 42
 43### Response and remediation
 44
 45- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.
 46- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
 47- Investigate the document access patterns to determine the scope of potential data exfiltration.
 48- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.
 49"""
 50references = [
 51    "https://atlas.mitre.org/techniques/AML.T0085",
 52    "https://atlas.mitre.org/techniques/AML.T0085.001",
 53    "https://atlas.mitre.org/techniques/AML.T0055",
 54    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
 55    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 56    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code",
 57]
 58risk_score = 73
 59rule_id = "c0136397-f82a-45e5-9b9f-a3651d77e21a"
 60severity = "high"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Linux",
 64    "OS: macOS",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Collection",
 68    "Tactic: Credential Access",
 69    "Data Source: Elastic Defend",
 70    "Resources: Investigation Guide",
 71    "Domain: LLM",
 72    "Mitre Atlas: T0085",
 73    "Mitre Atlas: T0085.001",
 74    "Mitre Atlas: T0055",
 75]
 76timestamp_override = "event.ingested"
 77type = "eql"
 78
 79query = '''
 80file where event.action in ("open", "creation", "modification") and event.outcome == "success" and
 81
 82  // GenAI process 
 83    (
 84      process.name in~ (
 85        "ollama.exe", "ollama",
 86        "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
 87        "lmstudio.exe", "lmstudio", "LM Studio",
 88        "claude.exe", "claude",
 89        "cursor.exe", "cursor",
 90        "copilot.exe", "copilot",
 91        "codex.exe", "codex",
 92        "jan.exe", "jan",
 93        "gpt4all.exe", "gpt4all",
 94        "gemini-cli.exe", "gemini-cli", "gemini.exe",
 95        "genaiscript.exe", "genaiscript",
 96        "grok.exe", "grok",
 97        "qwen.exe", "qwen",
 98        "koboldcpp.exe", "koboldcpp",
 99        "llama-server", "llama-cli",
100        "windsurf.exe", "windsurf",
101        "zed.exe", "zed",
102        "opencode.exe", "opencode",
103        "goose.exe", "goose"
104      )
105    ) and
106
107  // Sensitive file paths
108  (
109    // Persistence via Shell configs
110    file.name in (".bashrc", ".bash_profile", ".zshrc", ".zshenv", ".zprofile", ".profile", ".bash_logout") or
111
112    // Credentials In Files 
113    file.name like~ 
114                 ("key?.db", 
115                  "logins.json", 
116                  "Login Data", 
117                  "Local State",
118                  "signons.sqlite",
119                  "Cookies", 
120                  "cookies.sqlite",
121                  "Cookies.binarycookies", 
122                  "login.keychain-db", 
123                  "System.keychain", 
124                  "credentials.db", 
125                  "credentials", 
126                  "access_tokens.db", 
127                  "accessTokens.json", 
128                  "azureProfile.json",
129                  "RDCMan.settings", 
130                  "known_hosts", 
131                  "KeePass.config.xml", 
132                  "Unattended.xml")
133  ) and not (
134    host.os.type == "windows" and
135    process.name : ("claude.exe", "Claude") and
136    file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
137                 "?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
138  )
139'''
140
141
142[[rule.threat]]
143framework = "MITRE ATT&CK"
144[[rule.threat.technique]]
145id = "T1552"
146name = "Unsecured Credentials"
147reference = "https://attack.mitre.org/techniques/T1552/"
148[[rule.threat.technique.subtechnique]]
149id = "T1552.001"
150name = "Credentials In Files"
151reference = "https://attack.mitre.org/techniques/T1552/001/"
152
153
154[[rule.threat.technique]]
155id = "T1555"
156name = "Credentials from Password Stores"
157reference = "https://attack.mitre.org/techniques/T1555/"
158
159
160[rule.threat.tactic]
161id = "TA0006"
162name = "Credential Access"
163reference = "https://attack.mitre.org/tactics/TA0006/"
164[[rule.threat]]
165framework = "MITRE ATT&CK"
166[[rule.threat.technique]]
167id = "T1005"
168name = "Data from Local System"
169reference = "https://attack.mitre.org/techniques/T1005/"
170
171
172[rule.threat.tactic]
173id = "TA0009"
174name = "Collection"
175reference = "https://attack.mitre.org/tactics/TA0009/"
176[[rule.threat]]
177framework = "MITRE ATT&CK"
178[[rule.threat.technique]]
179id = "T1037"
180name = "Boot or Logon Initialization Scripts"
181reference = "https://attack.mitre.org/techniques/T1037/"
182[[rule.threat.technique.subtechnique]]
183id = "T1037.004"
184name = "RC Scripts"
185reference = "https://attack.mitre.org/techniques/T1037/004/"
186
187
188
189[rule.threat.tactic]
190id = "TA0003"
191name = "Persistence"
192reference = "https://attack.mitre.org/tactics/TA0003/"