GenAI Process Compiling or Generating Executables

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when GenAI tools spawn compilers or packaging tools to generate executables. Attackers leverage local LLMs to
 11autonomously generate and compile malware, droppers, or implants. Python packaging tools (pyinstaller, nuitka, pyarmor)
 12are particularly high-risk as they create standalone executables that can be deployed without dependencies. This rule
 13focuses on compilation activity that produces output binaries, filtering out inspection-only operations.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-windows.sysmon_operational-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21    "logs-auditd_manager.auditd-*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "GenAI Process Compiling or Generating Executables"
 26note = """## Triage and analysis
 27
 28### Investigating GenAI Process Compiling or Generating Executables
 29
 30This rule detects GenAI tools spawning compilers or packaging tools. While developers may use GenAI to write code that they then compile, autonomous compilation by GenAI processes is unusual.
 31
 32### Possible investigation steps
 33
 34- Review the GenAI process that spawned the compiler to identify which tool is running and verify if it's an expected/authorized tool.
 35- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
 36- Review the output files created by the compilation process to identify any malicious executables.
 37- Check for other alerts or suspicious activity on the same host around the same time.
 38- Verify if the GenAI tool is from a trusted source and if it's authorized for use in your environment.
 39- Identify whether the generated executables appear in temporary directories often used for malware staging (`%TEMP%`, `/tmp`, `.cache`).
 40- Inspect the compiled artifacts for networking imports, credential harvesting functionality, or persistence mechanisms.
 41
 42### False positive analysis
 43
 44- Legitimate development workflows that use GenAI tools for code generation may trigger this rule if they compile the generated code.
 45- Some GenAI-assisted coding IDEs (Cursor, Copilot Workspace) may run compilation tasks when testing code; confirm whether the behavior is tied to developer workflow.
 46
 47### Response and remediation
 48
 49- Terminate the GenAI process and any spawned compiler processes to stop the malicious activity.
 50- Investigate the compiled executables to determine if they are malicious.
 51- Review audit logs to determine the scope of compilation activity and identify any executables that may have been created.
 52- Quarantine any compiled binaries; submit suspicious artifacts to sandbox or malware analysis.
 53"""
 54references = [
 55    "https://atlas.mitre.org/techniques/AML.T0053",
 56    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 57]
 58risk_score = 47
 59rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Linux",
 64    "OS: macOS",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Execution",
 68    "Tactic: Defense Evasion",
 69    "Data Source: Elastic Defend",
 70    "Data Source: Sysmon",
 71    "Data Source: Auditd Manager",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Data Source: SentinelOne",
 74    "Resources: Investigation Guide",
 75    "Domain: LLM",
 76    "Mitre Atlas: T0053",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80
 81query = '''
 82process where event.type == "start" and
 83
 84  // GenAI parent process
 85  (
 86    process.parent.name in (
 87      "ollama.exe", "ollama", "Ollama",
 88      "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
 89      "lmstudio.exe", "lmstudio", "LM Studio",
 90      "claude.exe", "claude", "Claude",
 91      "cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
 92      "copilot.exe", "copilot", "Copilot",
 93      "codex.exe", "codex",
 94      "Jan", "jan.exe", "jan", "Jan Helper",
 95      "gpt4all.exe", "gpt4all", "GPT4All",
 96      "gemini-cli.exe", "gemini-cli",
 97      "genaiscript.exe", "genaiscript",
 98      "grok.exe", "grok",
 99      "qwen.exe", "qwen",
100      "koboldcpp.exe", "koboldcpp", "KoboldCpp",
101      "llama-server", "llama-cli"
102    ) or
103    
104    // Node/Deno with GenAI frameworks
105    (process.parent.name in ("node.exe", "node", "deno.exe", "deno") and
106     process.parent.command_line like~ ("*mcp-server*", "*@modelcontextprotocol*", "*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*")) or
107    
108    // Python with GenAI frameworks
109    (process.parent.name like~ "python*" and
110     process.parent.command_line like~ ("*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*"))
111  ) and
112
113  // Compilation tools
114  (
115    // Python packaging
116    process.name in ("pyinstaller", "py2exe", "cx_Freeze", "nuitka", "pyarmor", "pkg") or
117    
118    // C/C++ compilation with output
119    (process.name in ("gcc", "g++", "clang", "clang++", "cl.exe") and
120     process.command_line like~ "*-o *" and
121     process.command_line like~ ("*.c *", "*.c", "*.cpp *", "*.cpp", "*.cc *", "*.cc", "*.m *", "*.m") and
122     not process.command_line like~ "*git*") or
123    
124    // Go compilation
125    (process.name == "go" and process.args == "build") or
126    
127    // Rust compilation
128    (process.name == "cargo" and process.args == "build") or
129    (process.name == "rustc" and process.command_line like~ "*-o *") or
130    
131    // .NET compilation
132    process.name in ("csc.exe", "vbc.exe", "msbuild.exe") or
133    (process.name == "dotnet" and process.args == "build") or
134    
135    // Java compilation
136    process.name == "javac"
137  )
138'''
139
140
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1027"
145name = "Obfuscated Files or Information"
146reference = "https://attack.mitre.org/techniques/T1027/"
147[[rule.threat.technique.subtechnique]]
148id = "T1027.004"
149name = "Compile After Delivery"
150reference = "https://attack.mitre.org/techniques/T1027/004/"
151
152
153
154[rule.threat.tactic]
155id = "TA0005"
156name = "Defense Evasion"
157reference = "https://attack.mitre.org/tactics/TA0005/"