Unusual Process Modifying GenAI Configuration File

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server
 11configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts
 12directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that
 13abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute
 14arbitrary commands when the AI tool is next invoked.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.file*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Unusual Process Modifying GenAI Configuration File"
 21note = """## Triage and analysis
 22
 23### Investigating Unusual Process Modifying GenAI Configuration File
 24
 25Configuration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities. 
 26
 27### Possible investigation steps
 28
 29- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).
 30- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.
 31- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.
 32- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.
 33- Examine the process command line and parent process tree to identify how the modifying process was invoked.
 34- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.
 35- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.
 36
 37### False positive analysis
 38
 39- Novel but legitimate configuration changes will trigger this rule when the process/file combination hasn't been seen in 7 days. Review the modified file content to determine legitimacy.
 40- GenAI tool updates may modify config files in new ways; correlate with recent software updates.
 41- IDE extensions integrating with GenAI tools may modify configs as part of initial setup.
 42
 43### Response and remediation
 44
 45- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.
 46- If malicious MCP servers were added, block the associated domains at the network level.
 47- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.
 48"""
 49references = [
 50    "https://modelcontextprotocol.io/",
 51    "https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover",
 52    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
 53    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 54]
 55risk_score = 47
 56rule_id = "590fc62d-7386-4c75-92b0-af4517018da1"
 57severity = "medium"
 58tags = [
 59    "Domain: Endpoint",
 60    "OS: macOS",
 61    "OS: Windows",
 62    "Use Case: Threat Detection",
 63    "Tactic: Defense Evasion",
 64    "Tactic: Persistence",
 65    "Data Source: Elastic Defend",
 66    "Resources: Investigation Guide",
 67    "Domain: LLM",
 68]
 69timestamp_override = "event.ingested"
 70type = "new_terms"
 71
 72query = '''
 73event.category : "file" and event.action : ("modification" or "overwrite") and
 74file.path : (
 75    */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or
 76    */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or
 77    */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or
 78    */.ollama/config* or */AppData/Local/Ollama/* or
 79    */.codex/* or */AppData/Roaming/Codex/* or
 80    */.gemini/* or */AppData/Roaming/gemini-cli/* or
 81    */.grok/* or */AppData/Roaming/Grok/* or
 82    */.windsurf/* or */AppData/Roaming/Windsurf/* or
 83    */.vscode/extensions/*mcp*
 84)
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1556"
 92name = "Modify Authentication Process"
 93reference = "https://attack.mitre.org/techniques/T1556/"
 94
 95
 96[rule.threat.tactic]
 97id = "TA0005"
 98name = "Defense Evasion"
 99reference = "https://attack.mitre.org/tactics/TA0005/"
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1554"
104name = "Compromise Host Software Binary"
105reference = "https://attack.mitre.org/techniques/T1554/"
106
107
108[rule.threat.tactic]
109id = "TA0003"
110name = "Persistence"
111reference = "https://attack.mitre.org/tactics/TA0003/"
112
113[rule.new_terms]
114field = "new_terms_fields"
115value = ["process.executable"]
116[[rule.new_terms.history_window_start]]
117field = "history_window_start"
118value = "now-7d"