From be80d7f2be60d975fe4919d05f946d5bf7d5160d Mon Sep 17 00:00:00 2001
From: "Mika Ayenson, PhD" <Mikaayenson@users.noreply.github.com>
Date: Wed, 22 Apr 2026 11:34:10 -0500
Subject: [PATCH] [Rule Tuning] Additional GenAI context for Domains & Cred
 File Access (#5958)

---
 ...mmand_and_control_common_llm_endpoint.toml | 106 +++++++++++++++++-
 ...s_genai_process_sensitive_file_access.toml |  49 ++++----
 2 files changed, 127 insertions(+), 28 deletions(-)

diff --git a/rules/cross-platform/command_and_control_common_llm_endpoint.toml b/rules/cross-platform/command_and_control_common_llm_endpoint.toml
index 480563b94..2008d6138 100644
--- a/rules/cross-platform/command_and_control_common_llm_endpoint.toml
+++ b/rules/cross-platform/command_and_control_common_llm_endpoint.toml
@@ -2,8 +2,7 @@
 creation_date = "2025/09/01"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2026/04/07"
-
+updated_date = "2026/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +16,7 @@ index = [
     "logs-endpoint.events.network-*",
     "logs-sentinel_one_cloud_funnel.*",
     "logs-windows.sysmon_operational-*",
-    "winlogbeat-*"
+    "winlogbeat-*",
 ]
 language = "eql"
 license = "Elastic License v2"
@@ -103,11 +102,12 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null
     "generativelanguage.googleapis.com",
     "api.azure.com",
     "api.bedrock.aws",
-    "bedrock-runtime.amazonaws.com",
+    "bedrock-runtime.*.amazonaws.com",
 
     // Hugging Face & other ML infra
     "api-inference.huggingface.co",
     "inference-endpoint.huggingface.cloud",
+    "router.huggingface.co",
     "*.hf.space",
     "*.replicate.com",
     "api.replicate.com",
@@ -116,6 +116,99 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null
     "api.modal.com",
     "*.forefront.ai",
 
+    "api.arcee.ai",
+    "api.sambanova.ai",
+    "chatapi.akash.network",
+    "api.reka.ai",
+    "api.cerebras.ai",
+    "api.morphllm.com",
+    "openrouter.ai",
+    "api.moonshot.cn",
+    "api.moonshot.ai",
+    "api.z.ai",
+    "api.inference.wandb.ai",
+    "trace.wandb.ai",
+    "api.bfl.ai",
+    "api.eu.bfl.ai",
+    "api.us.bfl.ai",
+    "api.ionstream.ai",
+    "api.minimax.io",
+    "api.minimaxi.com",
+    "api.stepfun.ai",
+    "api.stepfun.com",
+    "api.featherless.ai",
+    "api.intelligence.io.solutions",
+    "api.fireworks.ai",
+    "inference.baseten.co",
+    "api.baseten.co",
+    "api.gmi-serving.com",
+    "api.ncompass.tech",
+    "api.nextbit256.com",
+    "api.hyperbolic.xyz",
+    "neuro.mancer.tech",
+    "managed-inference-api-proxy.crusoecloud.com",
+    "api.crusoe.ai",
+    "api.avian.io",
+    "api.siliconflow.cn",
+    "api.totalgpt.ai",
+    "switchpoint.dev",
+    "api.novita.ai",
+    "api.inflection.ai",
+    "api.wavespeed.ai",
+    "api.cloud.mara.com",
+    "api.inference.net",
+    "api.deepinfra.com",
+    "api.xiaomimimo.com",
+    "dashscope.aliyuncs.com",
+    "dashscope-intl.aliyuncs.com",
+    "dashscope-us.aliyuncs.com",
+    "integrate.api.nvidia.com",
+    "api.inceptionlabs.ai",
+    "api.friendli.ai",
+    "external.api.recraft.ai",
+    "api.cloudflare.com",
+    "gateway.ai.cloudflare.com",
+    "api.studio.nebius.ai",
+    "api.tokenfactory.nebius.com",
+    "api.aionlabs.ai",
+    "api.relace.run",
+    "instantapply.endpoint.relace.run",
+    "ranker.endpoint.relace.run",
+    "embeddings.endpoint.relace.run",
+    "console-api.inference.ai",
+    "api.parasail.io",
+    "api.redpill.ai",
+    "api.modular.com",
+    "ark.cn-beijing.volces.com",
+    "ark.ap-southeast.bytepluses.com",
+    "ai2endpoints.cirrascale.ai",
+    "aisuite.cirrascale.com",
+    "api.clarifai.com",
+    "api.venice.ai",
+    "api.atlascloud.ai",
+    "wanqing.streamlakeapi.com",
+    "api.ambient.xyz",
+    "api.upstage.ai",
+    "api.together.xyz",
+    "api.inceptron.io",
+    "chutes.ai",
+    "aiplatform.googleapis.com",
+    "portal.nousresearch.com",
+    "inference-api.nousresearch.com",
+    "api.githubcopilot.com",
+    "ai-gateway.vercel.sh",
+    "opencode.ai",
+    "api.kilo.ai",
+    "qianfan.baidubce.com",
+    "hunyuan.tencentcloudapi.com",
+    "open.bigmodel.cn",
+    "spark-api-open.xf-yun.com",
+    "api.sensenova.cn",
+    "api.baichuan-ai.com",
+    "api-inference.modelscope.cn",
+    "api.lingyiwanwu.com",
+    "api.360.cn",
+
     // Consumer-facing AI chat portals
     "chat.openai.com",
     "chatgpt.com",
@@ -151,18 +244,19 @@ network where host.os.type in ("macos", "windows") and dns.question.name != null
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1102"
 name = "Web Service"
 reference = "https://attack.mitre.org/techniques/T1102/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1102.002"
 name = "Bidirectional Communication"
 reference = "https://attack.mitre.org/techniques/T1102/002/"
 
+
+
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
index ad9183c5d..0fd82fbd9 100644
--- a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
+++ b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -10,7 +10,8 @@ description = """
 Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
 shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
 tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
-(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
+(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are
+not yet implemented.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.file*"]
@@ -80,26 +81,31 @@ file where event.action in ("open", "creation", "modification") and event.outcom
 
   // GenAI process 
     (
-      process.name in (
-        "ollama.exe", "ollama", "Ollama",
+      process.name in~ (
+        "ollama.exe", "ollama",
         "textgen.exe", "textgen", "text-generation-webui.exe", "oobabooga.exe",
         "lmstudio.exe", "lmstudio", "LM Studio",
-        "claude.exe", "claude", "Claude",
-        "cursor.exe", "cursor", "Cursor",
-        "copilot.exe", "copilot", "Copilot",
+        "claude.exe", "claude",
+        "cursor.exe", "cursor",
+        "copilot.exe", "copilot",
         "codex.exe", "codex",
-        "Jan", "jan.exe", "jan",
-        "gpt4all.exe", "gpt4all", "GPT4All",
-        "gemini-cli.exe", "gemini-cli",
+        "jan.exe", "jan",
+        "gpt4all.exe", "gpt4all",
+        "gemini-cli.exe", "gemini-cli", "gemini.exe",
         "genaiscript.exe", "genaiscript",
         "grok.exe", "grok",
         "qwen.exe", "qwen",
-        "koboldcpp.exe", "koboldcpp", "KoboldCpp",
-        "llama-server", "llama-cli"
+        "koboldcpp.exe", "koboldcpp",
+        "llama-server", "llama-cli",
+        "windsurf.exe", "windsurf",
+        "zed.exe", "zed",
+        "opencode.exe", "opencode",
+        "goose.exe", "goose"
       ) or
-      // OpenClaw/Moltbot/Clawdbot via Node.js
-      (process.name in ("node", "node.exe") and
-       process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*"))
+      // OpenClaw/Moltbot/Clawdbot family via Node.js
+      (process.name in~ ("node", "node.exe") and
+       process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*",
+                                   "*nemoclaw*", "*nanoclaw*", "*picoclaw*"))
     ) and
 
   // Sensitive file paths
@@ -139,54 +145,53 @@ file where event.action in ("open", "creation", "modification") and event.outcom
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1552"
 name = "Unsecured Credentials"
 reference = "https://attack.mitre.org/techniques/T1552/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1552.001"
 name = "Credentials In Files"
 reference = "https://attack.mitre.org/techniques/T1552/001/"
 
+
 [[rule.threat.technique]]
 id = "T1555"
 name = "Credentials from Password Stores"
 reference = "https://attack.mitre.org/techniques/T1555/"
 
+
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1005"
 name = "Data from Local System"
 reference = "https://attack.mitre.org/techniques/T1005/"
 
+
 [rule.threat.tactic]
 id = "TA0009"
 name = "Collection"
 reference = "https://attack.mitre.org/tactics/TA0009/"
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1037.004"
 name = "RC Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/004/"
 
+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+