GenAI CLI Started with Unsafe Permission Bypass
Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify files, or reach sensitive paths without confirmation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/24"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2026/07/06"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies GenAI agent CLIs started with permission-bypass or auto-approval flags that disable human-in-the-loop
11guardrails. These modes are intended for isolated sandboxes but are frequently misused on internet-connected developer
12workstations, allowing prompt injection, compromised dependencies, or malicious skills to execute commands, modify
13files, or reach sensitive paths without confirmation.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "GenAI CLI Started with Unsafe Permission Bypass"
20note = """## Triage and analysis
21
22### Investigating GenAI CLI Started with Unsafe Permission Bypass
23
24GenAI coding agents normally prompt before running shell commands or editing files. Vendor-supplied bypass flags remove
25those controls entirely or auto-approve all tool calls. On a networked host this materially increases blast radius from
26prompt injection, poisoned MCP servers, malicious project configs, and autonomous agent workflows.
27
28### Possible investigation steps
29
30- Identify which GenAI tool and bypass flag were used from `process.command_line` and `process.executable`.
31- Determine whether the session was intentional (CI/CD, isolated lab VM) or an interactive developer workstation.
32- Review child processes spawned after startup for credential access, network exfiltration, or persistence.
33- Check for recent GenAI config changes (MCP servers, skills, `.claude/settings.json`, `~/.codex/config.toml`).
34- Correlate with other GenAI-related alerts on the same host and user.
35
36### False positive analysis
37
38- Deliberate use in approved sandbox/CI images with no outbound network access.
39- Internal automation scripts that wrap GenAI CLIs with bypass flags; scope exceptions by host or user group.
40- Each matching process start produces one alert; habitual bypass use in CI or developer workflows may need host or user exceptions.
41
42### Response and remediation
43
44- Remove bypass flags from scripts, shell profiles, and CI job definitions; use default or plan-only permission modes.
45- Rotate API keys and cloud credentials accessible to the user account that ran the agent.
46- Audit GenAI tool configs and MCP servers loaded during the session.
47- Restrict GenAI agent usage policies to disallow permission bypass on production endpoints.
48"""
49references = [
50 "https://code.claude.com/docs/en/permission-modes",
51 "https://developers.openai.com/codex/cli/reference",
52 "https://developers.openai.com/codex/agent-approvals-security",
53 "https://google-gemini.github.io/gemini-cli/docs/get-started/configuration.html",
54 "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/",
55]
56risk_score = 47
57rule_id = "c1326e45-6d3c-4a2d-9882-606a0c310299"
58severity = "medium"
59tags = [
60 "Domain: Endpoint",
61 "OS: Linux",
62 "OS: macOS",
63 "OS: Windows",
64 "Use Case: Threat Detection",
65 "Tactic: Defense Evasion",
66 "Data Source: Elastic Defend",
67 "Resources: Investigation Guide",
68 "Domain: LLM",
69]
70timestamp_override = "event.ingested"
71type = "eql"
72
73query = '''
74process where event.type == "start" and event.action in ("exec", "start") and
75(
76 (
77 process.args in (
78 "--dangerously-skip-permissions",
79 "--allow-dangerously-skip-permissions",
80 "--permission-mode=bypassPermissions"
81 ) or
82 (process.args == "--permission-mode" and process.args == "bypassPermissions")
83 ) and
84 (
85 process.name in ("claude", "claude.exe") or
86 process.executable : (
87 "*/.local/share/claude/versions/*",
88 "*/.claude/downloads/*",
89 "*Caskroom/claude-code/*",
90 "*\\Claude\\versions\\*"
91 ) or
92 (process.name in ("node", "node.exe") and process.args : "*@anthropic-ai/claude-code*")
93 )
94) or
95(
96 (
97 process.args in ("--dangerously-bypass-approvals-and-sandbox", "--full-auto", "--yolo") or
98 process.command_line : (
99 "* -s danger-full-access*",
100 "*--sandbox danger-full-access*",
101 "*--sandbox=danger-full-access*",
102 "*--ask-for-approval never*",
103 "*--ask-for-approval=never*"
104 )
105 ) and
106 (
107 process.name in (
108 "codex", "codex.exe", "codex-exec",
109 "codex-aarch64-apple-darwin", "codex-x86_64-apple-darwin",
110 "codex-linux-arm64", "codex-linux-x64"
111 ) or
112 (process.name in ("node", "node.exe") and process.args : ("*@openai/codex*", "*/codex", "*\\codex*"))
113 )
114) or
115(
116 (
117 process.args in ("--yolo", "-y") or
118 (process.args == "--approval-mode" and process.args == "yolo") or
119 process.args == "--approval-mode=yolo"
120 ) and
121 (
122 process.name in ("gemini", "gemini-cli", "gemini.exe", "gemini-cli.exe") or
123 (process.name in ("node", "node.exe") and process.args : ("*@google/gemini-cli*", "*/gemini", "*\\gemini*"))
124 )
125) or
126(
127 (
128 process.args in (
129 "--yolo",
130 "--autopilot",
131 "--allow-all",
132 "--allow-all-tools",
133 "--allow-all-paths",
134 "--allow-all-urls"
135 )
136 ) and
137 (
138 process.name in ("copilot", "copilot.exe") or
139 (process.name in ("node", "node.exe") and process.args : ("*@github/copilot*", "*/copilot", "*\\copilot*"))
140 )
141) or
142(
143 process.args == "--dangerously-skip-permissions" and
144 (
145 process.name in ("opencode", "opencode.exe", ".opencode") or
146 process.executable : ("*opencode-ai*", "*\\.opencode*") or
147 (process.name in ("node", "node.exe") and process.args : ("*opencode-ai*", "*/opencode", "*\\opencode*"))
148 )
149)
150'''
151
152
153[[rule.threat]]
154framework = "MITRE ATT&CK"
155[[rule.threat.technique]]
156id = "T1562"
157name = "Impair Defenses"
158reference = "https://attack.mitre.org/techniques/T1562/"
159[[rule.threat.technique.subtechnique]]
160id = "T1562.001"
161name = "Disable or Modify Tools"
162reference = "https://attack.mitre.org/techniques/T1562/001/"
163
164
165
166[rule.threat.tactic]
167id = "TA0005"
168name = "Defense Evasion"
169reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Investigating GenAI CLI Started with Unsafe Permission Bypass
GenAI coding agents normally prompt before running shell commands or editing files. Vendor-supplied bypass flags remove those controls entirely or auto-approve all tool calls. On a networked host this materially increases blast radius from prompt injection, poisoned MCP servers, malicious project configs, and autonomous agent workflows.
Possible investigation steps
- Identify which GenAI tool and bypass flag were used from
process.command_lineandprocess.executable. - Determine whether the session was intentional (CI/CD, isolated lab VM) or an interactive developer workstation.
- Review child processes spawned after startup for credential access, network exfiltration, or persistence.
- Check for recent GenAI config changes (MCP servers, skills,
.claude/settings.json,~/.codex/config.toml). - Correlate with other GenAI-related alerts on the same host and user.
False positive analysis
- Deliberate use in approved sandbox/CI images with no outbound network access.
- Internal automation scripts that wrap GenAI CLIs with bypass flags; scope exceptions by host or user group.
- Each matching process start produces one alert; habitual bypass use in CI or developer workflows may need host or user exceptions.
Response and remediation
- Remove bypass flags from scripts, shell profiles, and CI job definitions; use default or plan-only permission modes.
- Rotate API keys and cloud credentials accessible to the user account that ran the agent.
- Audit GenAI tool configs and MCP servers loaded during the session.
- Restrict GenAI agent usage policies to disallow permission bypass on production endpoints.
References
Related rules
- GenAI Process Compiling or Generating Executables
- GenAI Process Performing Encoding/Chunking Prior to Network Activity
- GenAI Process Accessing Sensitive Files
- Unusual Process Modifying GenAI Configuration File
- Long Base64 Encoded Command via Scripting Interpreter