diff --git a/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml new file mode 100644 index 000000000..9bf079851 --- /dev/null +++ b/rules/cross-platform/initial_access_elastic_defend_alert_genai_utility_descendant.toml @@ -0,0 +1,113 @@ +[metadata] +creation_date = "2026/02/27" +maturity = "production" +min_stack_comments = "ES|QL inline stats became generally available in 9.3.0 and MV_INTERSECTION is in preview since 9.3." +min_stack_version = "9.3.0" +updated_date = "2026/02/27" + +[rule] +author = ["Elastic"] +description = """ +Detects Elastic Defend alerts (behavior, malicious file, memory signature, shellcode) where the alerted process or its +direct parent is a GenAI coding or assistant utility (e.g. Cursor, Claude, Windsurf, Cody, Continue, Aider, OpenClaw, +Moltbot, Clawdbot, Codeium, Tabnine, GitHub Copilot). Activity from these tools can indicate prompt injection, +malicious skills, or supply-chain abuse; this Higher-Order rule helps prioritize such alerts for triage. +""" +from = "now-9m" +interval = "5m" +language = "esql" +license = "Elastic License v2" +name = "Elastic Defend Alert from GenAI Utility or Descendant" +note = """## Triage and analysis + +### Investigating Elastic Defend Alert from GenAI Utility or Descendant + +Elastic Defend has raised an alert on a process that is either a GenAI coding/assistant application or a direct child of one. This can indicate prompt injection, malicious extension/skill execution, or abuse of AI-assisted development tools (e.g. fake VS Code extensions, malicious ClawHub skills). + +### Possible investigation steps + +- Identify the GenAI utility by looking for a process with an entity_id in Esql.genai_ancestor_ids +- Review the alert rule name and message to understand what behavior was detected (e.g. script execution, network, file write). +- Inspect process_command_line and parent command lines for download-and-execute, encoded commands, or suspicious arguments. +- Correlate with the same host and user for other alerts or with network/DNS for C2 or exfiltration. +- If the tool is Cursor/VS Code: check for recently installed extensions. +- If OpenClaw/Moltbot/Clawdbot: review installed skills and conversation history for prompt injection or malicious skill execution. + +### False positive analysis + +- Legitimate use of GenAI tools (e.g. running builds, package installs, or approved scripts) can trigger behavior rules. Tune by excluding known-safe rule names or process command-line patterns, or limit to higher-severity alerts. +- Approved automation or CI that runs under a GenAI-related process may need to be allowlisted. + +### Response and remediation + +- If abuse is confirmed: disable or restrict the GenAI tool, remove malicious extensions/skills, rotate any exposed API keys or credentials, and block IOCs at network/EDR level. +""" +references = [ + "https://attack.mitre.org/techniques/T1059/", + "https://attack.mitre.org/techniques/T1195/002/", +] +risk_score = 99 +rule_id = "d4e5f6a7-b8c9-7d0e-1f2a-3b4c5d6e7f8a" +severity = "critical" +tags = [ + "Domain: Endpoint", + "Domain: LLM", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-endpoint.alerts-*, logs-endpoint.events.process-* metadata _id, _version, _index +| EVAL is_genai_spawn = TO_LOWER(process.parent.name) IN ( + "claude", "claude.exe", "cursor", "cursor.exe", "cursor helper", "cursor helper (plugin)", + "codex", "codex.exe", "cody", "cody.exe", "copilot", "copilot.exe", "gemini-cli", "gemini-cli.exe", + "openai", "openai.exe", "ollama", "ollama.exe", "llm", "llm.exe", + "aider", "aider.exe", "cline", "cline.exe", "continue", "continue.exe", + "zed", "zed.exe", "windsurf", "windsurf.exe", + "tabnine", "tabnine.exe", "codeium", "codeium.exe", "bolt", "bolt.exe", + "devin", "devin.exe", "replit", "replit.exe", "ghostwriter", "ghostwriter.exe", "bito", "bito.exe" + ), + is_openclaw_spawn = process.parent.name in ("node", "node.exe") and (process.parent.command_line like "*openclaw*" or process.parent.command_line like "*moltbot*" or process.parent.command_line like "*clawdbot*") +| WHERE process.Ext.ancestry IS NOT NULL and + (event.dataset == "endpoint.alerts" or is_genai_spawn or is_openclaw_spawn) +// Identify GenAI tool spawn events and capture their entity_ids +| EVAL genai_entity_id = CASE(is_genai_spawn or is_openclaw_spawn, process.parent.entity_id, NULL) + +// Collect ALL GenAI entity_ids globally across the dataset +| INLINE STATS + all_genai_entity_ids = VALUES(genai_entity_id) WHERE genai_entity_id IS NOT NULL +// Find which GenAI entity_ids appear in this process's ancestry +| EVAL Esql.genai_ancestor_ids = MV_INTERSECTION(all_genai_entity_ids, process.Ext.ancestry) + +// Elastic Defend alerts from a GenAI grandparent +| WHERE Esql.genai_ancestor_ids IS NOT NULL + AND event.dataset == "endpoint.alerts" AND not rule.name in ( + "Persistence via GenAI Tool", + "Code Editor Untrusted or Unsigned Child Process Execution", + "Suspicious Credential Access via GenAI Tool", + "Credential Access via GenAI Tool Descendant" + ) + +| KEEP * +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/"