GenAI Process Performing Encoding/Chunking Prior to Network Activity

  1[metadata]
  2creation_date = "2025/12/04"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
  4maturity = "production"
  5updated_date = "2025/12/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when GenAI processes perform encoding or chunking (base64, gzip, tar, zip) followed by outbound network
 11activity. This sequence indicates data preparation for exfiltration. Attackers encode or compress sensitive data before
 12transmission to obfuscate contents and evade detection. Legitimate GenAI workflows rarely encode data before network
 13communications.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.network-*",
 19    "logs-windows.sysmon_operational-*",
 20    "winlogbeat-*",
 21    "logs-m365_defender.event-*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "GenAI Process Performing Encoding/Chunking Prior to Network Activity"
 27note = """## Triage and analysis
 28
 29### Investigating GenAI Process Performing Encoding/Chunking Prior to Network Activity
 30
 31GenAI processes performing encoding or chunking operations followed by network activity is highly suspicious. This behavior indicates data preparation for exfiltration via GenAI prompts or agents, which is a strong indicator of malicious activity.
 32
 33### Possible investigation steps
 34
 35- Review the GenAI process that performed the encoding to identify which tool is running and verify if it's an expected/authorized tool.
 36- Examine the encoding/chunking command line arguments to understand what data is being processed.
 37- Review the network connection details to identify the destination and determine if it's expected.
 38- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.
 39- Review the data that was encoded to determine if it contains sensitive information.
 40- Determine whether the encoding was initiated by a GenAI agent or automation loop rather than a user action.
 41- Check whether the encoded data size or entropy suggests credential files, browser data, SSH keys, or cloud tokens.
 42- Validate that the GenAI tool is installed from a trusted source and has not been modified.
 43
 44### False positive analysis
 45
 46- Legitimate data processing workflows that use GenAI tools may trigger this rule if they encode data before transmission.
 47- Some local developer workflows may encode files before uploading training data or embeddings; confirm whether the host is a model-development workstation.
 48
 49### Response and remediation
 50
 51- Terminate the GenAI process and any spawned encoding/network processes to stop the malicious activity.
 52- Review and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.
 53- Investigate the encoded data and network destination to determine the scope of potential data exfiltration.
 54"""
 55references = [
 56    "https://atlas.mitre.org/techniques/AML.T0086",
 57    "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks",
 58    "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 59]
 60risk_score = 47
 61rule_id = "c3d4e5f6-a7b8-9012-cdef-123456789abc"
 62severity = "medium"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Linux",
 66    "OS: macOS",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Exfiltration",
 70    "Tactic: Defense Evasion",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76    "Domain: LLM",
 77    "Mitre Atlas: T0086",
 78]
 79timestamp_override = "event.ingested"
 80type = "eql"
 81
 82query = '''
 83sequence by process.entity_id with maxspan=30s
 84
 85  // Encoding/compression followed by network activity
 86  [process where event.type == "start"
 87     and event.type == "start"
 88
 89     // Encoding/chunking tools
 90     and (
 91       // Native encoding tools
 92       process.name in ("base64", "gzip", "tar", "zip", "split", "7z", "7za", "7zr") or
 93       
 94       // PowerShell encoding
 95       (process.name in ("powershell.exe", "pwsh.exe") and
 96        process.command_line like~ ("*Compress-Archive*", "*[Convert]::ToBase64String*")) or
 97       
 98       // Python encoding
 99       (process.name like~ "python*" and
100        process.command_line like~ ("*base64*", "*gzip*", "*zlib*", "*tarfile*", "*zipfile*")) or
101       
102       // Node.js encoding
103       (process.name in ("node.exe", "node") and
104        process.command_line like~ ("*Buffer.from*", "*zlib*", "*gzip*") and
105        not process.command_line like~ ("*mcp*start*", "*mcp-server*", "*npm exec*mcp*"))
106     )
107
108     // GenAI parent process
109     and (
110       process.parent.name in (
111         "ollama.exe", "ollama", "Ollama",
112         "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
113         "lmstudio.exe", "lmstudio", "LM Studio",
114         "claude.exe", "claude", "Claude",
115         "cursor.exe", "cursor", "Cursor", "Cursor Helper", "Cursor Helper (Plugin)",
116         "copilot.exe", "copilot", "Copilot",
117         "codex.exe", "codex",
118         "Jan", "jan.exe", "jan", "Jan Helper",
119         "gpt4all.exe", "gpt4all", "GPT4All",
120         "gemini-cli.exe", "gemini-cli",
121         "genaiscript.exe", "genaiscript",
122         "grok.exe", "grok",
123         "qwen.exe", "qwen",
124         "koboldcpp.exe", "koboldcpp", "KoboldCpp",
125         "llama-server", "llama-cli"
126       ) or
127       
128       // Node/Deno with GenAI frameworks
129       (process.parent.name in ("node.exe", "node", "deno.exe", "deno") and
130        process.parent.command_line like~ (
131          "*ollama*", "*mcp-server*", "*@modelcontextprotocol*", "*langchain*", "*autogpt*",
132          "*babyagi*", "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*",
133          "*haystack*", "*openai*", "*anthropic*", "*cohere*", "*mistral*"
134        )) or
135       
136       // Python with GenAI frameworks
137       (process.parent.name like~ "python*" and
138        process.parent.command_line like~ (
139          "*ollama*", "*mcp-server*", "*langchain*", "*autogpt*", "*babyagi*",
140          "*agentgpt*", "*crewai*", "*semantic-kernel*", "*llama-index*", "*haystack*",
141          "*openai*", "*anthropic*", "*cohere*", "*mistral*"
142        ))
143     )
144  ] by process.entity_id
145
146  // Outbound network connection (non-local)
147  [network where event.type == "start"
148     and event.action == "connection_attempted"
149     and destination.ip != null
150     and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
151                       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
152                       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
153                       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
154                       "FF00::/8")
155     
156  ] by process.entity_id
157'''
158
159
160[[rule.threat]]
161framework = "MITRE ATT&CK"
162[[rule.threat.technique]]
163id = "T1027"
164name = "Obfuscated Files or Information"
165reference = "https://attack.mitre.org/techniques/T1027/"
166
167
168[rule.threat.tactic]
169id = "TA0005"
170name = "Defense Evasion"
171reference = "https://attack.mitre.org/tactics/TA0005/"