GenAI CLI Started with Unsafe Permission Bypass

Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify files, or reach sensitive paths without confirmation.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/24"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/07/06"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop
 11guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer
 12workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify
 13files, or reach sensitive paths without confirmation.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "GenAI CLI Started with Unsafe Permission Bypass"
 20note = """## Triage and analysis
 21
 22### Investigating GenAI CLI Started with Unsafe Permission Bypass
 23
 24GenAI coding agents normally prompt before running shell commands or editing files. Vendor-supplied bypass flags remove
 25those controls entirely or auto-approve all tool calls. On a networked host this materially increases blast radius from
 26prompt injection, poisoned MCP servers, malicious project configs, and autonomous agent workflows.
 27
 28### Possible investigation steps
 29
 30- Identify which GenAI tool and bypass flag were used from `process.command_line` and `process.executable`.
 31- Determine whether the session was intentional (CI/CD, isolated lab VM) or an interactive developer workstation.
 32- Review child processes spawned after startup for credential access, network exfiltration, or persistence.
 33- Check for recent GenAI config changes (MCP servers, skills, `.claude/settings.json`, `~/.codex/config.toml`).
 34- Correlate with other GenAI-related alerts on the same host and user.
 35
 36### False positive analysis
 37
 38- Deliberate use in approved sandbox/CI images with no outbound network access.
 39- Internal automation scripts that wrap GenAI CLIs with bypass flags; scope exceptions by host or user group.
 40- Each matching process start produces one alert; habitual bypass use in CI or developer workflows may need host or user exceptions.
 41
 42### Response and remediation
 43
 44- Remove bypass flags from scripts, shell profiles, and CI job definitions; use default or plan-only permission modes.
 45- Rotate API keys and cloud credentials accessible to the user account that ran the agent.
 46- Audit GenAI tool configs and MCP servers loaded during the session.
 47- Restrict GenAI agent usage policies to disallow permission bypass on production endpoints.
 48"""
 49references = [
 50    "https://code.claude.com/docs/en/permission-modes",
 51    "https://developers.openai.com/codex/cli/reference",
 52    "https://developers.openai.com/codex/agent-approvals-security",
 53    "https://google-gemini.github.io/gemini-cli/docs/get-started/configuration.html",
 54    "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/",
 55]
 56risk_score = 47
 57rule_id = "c1326e45-6d3c-4a2d-9882-606a0c310299"
 58severity = "medium"
 59tags = [
 60    "Domain: Endpoint",
 61    "OS: Linux",
 62    "OS: macOS",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Defense Evasion",
 66    "Data Source: Elastic Defend",
 67    "Resources: Investigation Guide",
 68    "Domain: LLM",
 69]
 70timestamp_override = "event.ingested"
 71type = "eql"
 72
 73query = '''
 74process where event.type == "start" and event.action in ("exec", "start") and
 75(
 76  (
 77    process.args in (
 78      "--dangerously-skip-permissions",
 79      "--allow-dangerously-skip-permissions",
 80      "--permission-mode=bypassPermissions"
 81    ) or
 82    (process.args == "--permission-mode" and process.args == "bypassPermissions")
 83  ) and
 84  (
 85    process.name in ("claude", "claude.exe") or
 86    process.executable : (
 87      "*/.local/share/claude/versions/*",
 88      "*/.claude/downloads/*",
 89      "*Caskroom/claude-code/*",
 90      "*\\Claude\\versions\\*"
 91    ) or
 92    (process.name in ("node", "node.exe") and process.args : "*@anthropic-ai/claude-code*")
 93  )
 94) or
 95(
 96  (
 97    process.args in ("--dangerously-bypass-approvals-and-sandbox", "--full-auto", "--yolo") or
 98    process.command_line : (
 99      "* -s danger-full-access*",
100      "*--sandbox danger-full-access*",
101      "*--sandbox=danger-full-access*",
102      "*--ask-for-approval never*",
103      "*--ask-for-approval=never*"
104    )
105  ) and
106  (
107    process.name in (
108      "codex", "codex.exe", "codex-exec",
109      "codex-aarch64-apple-darwin", "codex-x86_64-apple-darwin",
110      "codex-linux-arm64", "codex-linux-x64"
111    ) or
112    (process.name in ("node", "node.exe") and process.args : ("*@openai/codex*", "*/codex", "*\\codex*"))
113  )
114) or
115(
116  (
117    process.args in ("--yolo", "-y") or
118    (process.args == "--approval-mode" and process.args == "yolo") or
119    process.args == "--approval-mode=yolo"
120  ) and
121  (
122    process.name in ("gemini", "gemini-cli", "gemini.exe", "gemini-cli.exe") or
123    (process.name in ("node", "node.exe") and process.args : ("*@google/gemini-cli*", "*/gemini", "*\\gemini*"))
124  )
125) or
126(
127  (
128    process.args in (
129      "--yolo",
130      "--autopilot",
131      "--allow-all",
132      "--allow-all-tools",
133      "--allow-all-paths",
134      "--allow-all-urls"
135    )
136  ) and
137  (
138    process.name in ("copilot", "copilot.exe") or
139    (process.name in ("node", "node.exe") and process.args : ("*@github/copilot*", "*/copilot", "*\\copilot*"))
140  )
141) or
142(
143  process.args == "--dangerously-skip-permissions" and
144  (
145    process.name in ("opencode", "opencode.exe", ".opencode") or
146    process.executable : ("*opencode-ai*", "*\\.opencode*") or
147    (process.name in ("node", "node.exe") and process.args : ("*opencode-ai*", "*/opencode", "*\\opencode*"))
148  )
149)
150'''
151
152
153[[rule.threat]]
154framework = "MITRE ATT&CK"
155[[rule.threat.technique]]
156id = "T1562"
157name = "Impair Defenses"
158reference = "https://attack.mitre.org/techniques/T1562/"
159[[rule.threat.technique.subtechnique]]
160id = "T1562.001"
161name = "Disable or Modify Tools"
162reference = "https://attack.mitre.org/techniques/T1562/001/"
163
164
165
166[rule.threat.tactic]
167id = "TA0005"
168name = "Defense Evasion"
169reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating GenAI CLI Started with Unsafe Permission Bypass

GenAI coding agents normally prompt before running shell commands or editing files. Vendor-supplied bypass flags remove those controls entirely or auto-approve all tool calls. On a networked host this materially increases blast radius from prompt injection, poisoned MCP servers, malicious project configs, and autonomous agent workflows.

Possible investigation steps

  • Identify which GenAI tool and bypass flag were used from process.command_line and process.executable.
  • Determine whether the session was intentional (CI/CD, isolated lab VM) or an interactive developer workstation.
  • Review child processes spawned after startup for credential access, network exfiltration, or persistence.
  • Check for recent GenAI config changes (MCP servers, skills, .claude/settings.json, ~/.codex/config.toml).
  • Correlate with other GenAI-related alerts on the same host and user.

False positive analysis

  • Deliberate use in approved sandbox/CI images with no outbound network access.
  • Internal automation scripts that wrap GenAI CLIs with bypass flags; scope exceptions by host or user group.
  • Each matching process start produces one alert; habitual bypass use in CI or developer workflows may need host or user exceptions.

Response and remediation

  • Remove bypass flags from scripts, shell profiles, and CI job definitions; use default or plan-only permission modes.
  • Rotate API keys and cloud credentials accessible to the user account that ran the agent.
  • Audit GenAI tool configs and MCP servers loaded during the session.
  • Restrict GenAI agent usage policies to disallow permission bypass on production endpoints.

References

Related rules

to-top